upstream/ipython Commit - r15651:0756833f

sanitize CSS...

MinRK -

r15651:0756833f

parent child

IPython/html/static/base/js/security.js

0 +54 -3

             //----------------------------------------------------------------------------
             //  Copyright (C) 2014  The IPython Development Team
             //
             //  Distributed under the terms of the BSD License.  The full license is in
             //  the file COPYING, distributed as part of this software.
             //----------------------------------------------------------------------------
             //============================================================================
             // Utilities
             //============================================================================
             IPython.namespace('IPython.security');
             IPython.security = (function (IPython) {
                 "use strict";
                 var utils = IPython.utils;
                 var noop = function (x) { return x; };
                 var cmp_tree = function (a, b) {
                     // compare two HTML trees
                     // only checks the tag structure is preserved,
                     // not any attributes or contents
                     if (a.length !== b.length) {
                         return false;
                     }
                     for (var i = a.length - 1; i >= 0; i--) {
                         if ((a[i].tagName || '').toLowerCase() != (b[i].tagName || '').toLowerCase()) {
                             return false;
                         }
                     }
                     var ac = a.children();
                     var bc = b.children();
                     if (ac.length === 0 && bc.length === 0) {
                         return true;
                     }
                     return cmp_tree(ac, bc);
                 };
                 var caja;
                 if (window && window.html) {
                     caja = window.html;
                     caja.html4 = window.html4;
+                    caja.sanitizeStylesheet = window.sanitizeStylesheet;
                 }
                 var sanitizeAttribs = function (tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) {
                     // wrap sanitizeAttribs into trusting data-attributes
                     var ATTRIBS = caja.html4.ATTRIBS;
                     for (var i = 0; i < attribs.length; i += 2) {
                         var attribName = attribs[i];
                         if (attribName.substr(0,5) == 'data-') {
                             var attribKey = '*::' + attribName;
                             if (!ATTRIBS.hasOwnProperty(attribKey)) {
                                 ATTRIBS[attribKey] = 0;
                             }
                         }
                     }
                     return caja.sanitizeAttribs(tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger);
                 };
-                var sanitize = function (html, log) {
+                var sanitize_css = function (css, tagPolicy) {
+                    return caja.sanitizeStylesheet(
+                        window.location.pathname,
+                        css,
+                        {
+                            containerClass: null,
+                            idSuffix: '',
+                            tagPolicy: tagPolicy,
+                            virtualizeAttrName: noop
+                        },
+                        noop
+                    );
+                };
+                var sanitize_stylesheets = function (html, tagPolicy) {
+                    var h = $("<div/>").append(html);
+                    var style_tags = h.find("style");
+                    if (!style_tags.length) {
+                        // no style tags to sanitize
+                        return html;
+                    }
+                    style_tags.each(function(i, style) {
+                        style.innerHTML = sanitize_css(style.innerHTML, tagPolicy);
+                    });
+                    return h.html();
+                };
+                var sanitize = function (html, allow_css) {
                     // sanitize HTML
+                    // if allow_css is true (default), CSS is sanitized as well.
+                    // otherwise, CSS elements and attributes are simply removed.
                     // returns a struct of
                     // {
                     //   src: original_html,
                     //   sanitized: the_sanitized_html,
                     //   _maybe_safe: bool // false if the sanitizer definitely made changes.
                     //                        This is an incomplete indication,
                     //                        only used to indicate whether further verification is necessary.
                     // }
+                    var html4 = caja.html4;
+                    if (allow_css === undefined) allow_css = true;
+                    if (allow_css) {
+                        // allow sanitization of style tags,
+                        // not just scrubbing
+                        html4.ELEMENTS.style &= ~html4.eflags.UNSAFE;
+                        html4.ATTRIBS.style = html4.atype.STYLE;
+                    } else {
+                        // scrub all CSS
+                        html4.ELEMENTS.style |= html4.eflags.UNSAFE;
+                        html4.ATTRIBS.style = html4.atype.SCRIPT;
+                    }
                     var result = {
                         src : html,
                         _maybe_safe : true
                     };
                     var record_messages = function (msg, opts) {
                         console.log("HTML Sanitizer", msg, opts);
                         result._maybe_safe = false;
                     };
-                    var html4 = caja.html4;
                     var policy = function (tagName, attribs) {
                         if (!(html4.ELEMENTS[tagName] & html4.eflags.UNSAFE)) {
                             return {
                                 'attribs': sanitizeAttribs(tagName, attribs,
                                     noop, noop, record_messages)
                                 };
                         } else {
                             record_messages(tagName + " removed", {
                               change: "removed",
                               tagName: tagName
                             });
                         }
                     };
                     result.sanitized = caja.sanitizeWithPolicy(html, policy);
+                    if (allow_css) {
+                        // sanitize style tags as stylesheets
+                        result.sanitized = sanitize_stylesheets(result.sanitized, policy);
+                    }
                     return result;
                 };
                 var sanitize_html = function (html) {
                     // shorthand for str-to-str conversion, dropping the struct
                     return sanitize(html).sanitized;
                 };
                 var is_safe = function (html) {
                     // just return bool for whether an HTML string is safe
+                    // this is not currently used for anything other than tests.
                     var result = sanitize(html);
                     // caja can strip whole elements without logging,
                     // so double-check that node structure didn't change
                     if (result._maybe_safe) {
                         result.safe = cmp_tree($(result.sanitized), $(html));
                     } else {
                         result.safe = false;
                     }
                     return result.safe;
                 };
                 return {
+                    caja: caja,
                     is_safe: is_safe,
                     sanitize: sanitize,
                     sanitize_html: sanitize_html
                 };
             }(IPython));

IPython/html/templates/notebook.html

0 +1 -1

             {% extends "page.html" %}
             {% block stylesheet %}
             {% if mathjax_url %}
             <script type="text/javascript" src="{{mathjax_url}}?config=TeX-AMS_HTML-full&delayStartupUntil=configured" charset="utf-8"></script>
             {% endif %}
             <script type="text/javascript">
             // MathJax disabled, set as null to distingish from *missing* MathJax,
             // where it will be undefined, and should prompt a dialog later.
             window.mathjax_url = "{{mathjax_url}}";
             </script>
             <link rel="stylesheet" href="{{ static_url("components/codemirror/lib/codemirror.css") }}">
             {{super()}}
             <link rel="stylesheet" href="{{ static_url("notebook/css/override.css") }}" type="text/css" />
             {% endblock %}
             {% block params %}
             data-project="{{project}}"
             data-base-url="{{base_url}}"
             data-notebook-name="{{notebook_name}}"
             data-notebook-path="{{notebook_path}}"
             class="notebook_app"
             {% endblock %}
             {% block header %}
             <span id="save_widget" class="nav pull-left">
                 <span id="notebook_name"></span>
                 <span id="checkpoint_status"></span>
                 <span id="autosave_status"></span>
             </span>
             {% endblock %}
             {% block site %}
             <div id="menubar-container" class="container">
             <div id="menubar">
             <div class="navbar">
               <div class="navbar-inner">
                 <div class="container">
                 <ul id="menus" class="nav">
                     <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">File</a>
                         <ul id="file_menu" class="dropdown-menu">
                             <li id="new_notebook"
                                 title="Make a new notebook (Opens a new window)">
                                 <a href="#">New</a></li>
                             <li id="open_notebook"
                                 title="Opens a new window with the Dashboard view">
                                 <a href="#">Open...</a></li>
                             <!-- <hr/> -->
                             <li class="divider"></li>
                             <li id="copy_notebook"
                                 title="Open a copy of this notebook's contents and start a new kernel">
                                 <a href="#">Make a Copy...</a></li>
                             <li id="rename_notebook"><a href="#">Rename...</a></li>
                             <li id="save_checkpoint"><a href="#">Save and Checkpoint</a></li>
                             <!-- <hr/> -->
                             <li class="divider"></li>
                             <li id="restore_checkpoint" class="dropdown-submenu"><a href="#">Revert to Checkpoint</a>
                               <ul class="dropdown-menu">
                                 <li><a href="#"></a></li>
                                 <li><a href="#"></a></li>
                                 <li><a href="#"></a></li>
                                 <li><a href="#"></a></li>
                                 <li><a href="#"></a></li>
                               </ul>
                             </li>
                             <li class="divider"></li>
                             <li id="print_preview"><a href="#">Print Preview</a></li>
                             <li class="dropdown-submenu"><a href="#">Download as</a>
                                 <ul class="dropdown-menu">
                                     <li id="download_ipynb"><a href="#">IPython Notebook (.ipynb)</a></li>
                                     <li id="download_py"><a href="#">Python (.py)</a></li>
                                     <li id="download_html"><a href="#">HTML (.html)</a></li>
                                     <li id="download_rst"><a href="#">reST (.rst)</a></li>
                                 </ul>
                             </li>
                             <li class="divider"></li>
                             <li id="kill_and_exit"
                                 title="Shutdown this notebook's kernel, and close this window">
                                 <a href="#" >Close and halt</a></li>
                         </ul>
                     </li>
                     <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">Edit</a>
                         <ul id="edit_menu" class="dropdown-menu">
                             <li id="cut_cell"><a href="#">Cut Cell</a></li>
                             <li id="copy_cell"><a href="#">Copy Cell</a></li>
                             <li id="paste_cell_above" class="disabled"><a href="#">Paste Cell Above</a></li>
                             <li id="paste_cell_below" class="disabled"><a href="#">Paste Cell Below</a></li>
                             <li id="paste_cell_replace" class="disabled"><a href="#">Paste Cell &amp; Replace</a></li>
                             <li id="delete_cell"><a href="#">Delete Cell</a></li>
                             <li id="undelete_cell" class="disabled"><a href="#">Undo Delete Cell</a></li>
                             <li class="divider"></li>
                             <li id="split_cell"><a href="#">Split Cell</a></li>
                             <li id="merge_cell_above"><a href="#">Merge Cell Above</a></li>
                             <li id="merge_cell_below"><a href="#">Merge Cell Below</a></li>
                             <li class="divider"></li>
                             <li id="move_cell_up"><a href="#">Move Cell Up</a></li>
                             <li id="move_cell_down"><a href="#">Move Cell Down</a></li>
                             <li class="divider"></li>
                             <li id="edit_nb_metadata"><a href="#">Edit Notebook Metadata</a></li>
                         </ul>
                     </li>
                     <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">View</a>
                         <ul id="view_menu" class="dropdown-menu">
                             <li id="toggle_header"
                                 title="Show/Hide the IPython Notebook logo and notebook title (above menu bar)">
                                 <a href="#">Toggle Header</a></li>
                             <li id="toggle_toolbar"
                                 title="Show/Hide the action icons (below menu bar)">
                                 <a href="#">Toggle Toolbar</a></li>
                         </ul>
                     </li>
                     <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">Insert</a>
                         <ul id="insert_menu" class="dropdown-menu">
                             <li id="insert_cell_above"
                                 title="Insert an empty Code cell above the currently active cell">
                                 <a href="#">Insert Cell Above</a></li>
                             <li id="insert_cell_below"
                                 title="Insert an empty Code cell below the currently active cell">
                                 <a href="#">Insert Cell Below</a></li>
                         </ul>
                     </li>
                     <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">Cell</a>
                         <ul id="cell_menu" class="dropdown-menu">
                             <li id="run_cell" title="Run this cell, and move cursor to the next one">
                                 <a href="#">Run</a></li>
                             <li id="run_cell_select_below" title="Run this cell, select below">
                                 <a href="#">Run and Select Below</a></li>
                             <li id="run_cell_insert_below" title="Run this cell, insert below">
                                 <a href="#">Run and Insert Below</a></li>
                             <li id="run_all_cells" title="Run all cells in the notebook">
                                 <a href="#">Run All</a></li>
                             <li id="run_all_cells_above" title="Run all cells above (but not including) this cell">
                                 <a href="#">Run All Above</a></li>
                             <li id="run_all_cells_below" title="Run this cell and all cells below it">
                                 <a href="#">Run All Below</a></li>
                             <li class="divider"></li>
                             <li id="change_cell_type" class="dropdown-submenu"
                                 title="All cells in the notebook have a cell type. By default, new cells are created as 'Code' cells">
                                 <a href="#">Cell Type</a>
                                 <ul class="dropdown-menu">
                                   <li id="to_code"
                                       title="Contents will be sent to the kernel for execution, and output will display in the footer of cell">
                                       <a href="#">Code</a></li>
                                   <li id="to_markdown"
                                       title="Contents will be rendered as HTML and serve as explanatory text">
                                       <a href="#">Markdown</a></li>
                                   <li id="to_raw"
                                       title="Contents will pass through nbconvert unmodified">
                                       <a href="#">Raw NBConvert</a></li>
                                   <li id="to_heading1"><a href="#">Heading 1</a></li>
                                   <li id="to_heading2"><a href="#">Heading 2</a></li>
                                   <li id="to_heading3"><a href="#">Heading 3</a></li>
                                   <li id="to_heading4"><a href="#">Heading 4</a></li>
                                   <li id="to_heading5"><a href="#">Heading 5</a></li>
                                   <li id="to_heading6"><a href="#">Heading 6</a></li>
                                 </ul>
                             </li>
                             <li class="divider"></li>
                             <li id="current_outputs" class="dropdown-submenu"><a href="#">Current Output</a>
                                 <ul class="dropdown-menu">
                                     <li id="toggle_current_output"
                                         title="Hide/Show the output of the current cell">
                                         <a href="#">Toggle</a>
                                     </li>
                                     <li id="toggle_current_output_scroll"
                                         title="Scroll the output of the current cell">
                                         <a href="#">Toggle Scrolling</a>
                                     </li>
                                     <li id="clear_current_output"
                                         title="Clear the output of the current cell">
                                         <a href="#">Clear</a>
                                     </li>
                                 </ul>
                             </li>
                             <li id="all_outputs" class="dropdown-submenu"><a href="#">All Output</a>
                                 <ul class="dropdown-menu">
                                     <li id="toggle_all_output"
                                         title="Hide/Show the output of all cells">
                                         <a href="#">Toggle</a>
                                     </li>
                                     <li id="toggle_all_output_scroll"
                                         title="Scroll the output of all cells">
                                         <a href="#">Toggle Scrolling</a>
                                     </li>
                                     <li id="clear_all_output"
                                         title="Clear the output of all cells">
                                         <a href="#">Clear</a>
                                     </li>
                                 </ul>
                             </li>
                         </ul>
                     </li>
                     <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">Kernel</a>
                         <ul id="kernel_menu" class="dropdown-menu">
                             <li id="int_kernel"
                                 title="Send KeyboardInterrupt (CTRL-C) to the Kernel">
                                 <a href="#">Interrupt</a></li>
                             <li id="restart_kernel"
                                 title="Restart the Kernel">
                                 <a href="#">Restart</a></li>
                         </ul>
                     </li>
                     <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">Help</a>
                         <ul  id="help_menu" class="dropdown-menu">
                             <li id="keyboard_shortcuts" title="Opens a tooltip with all keyboard shortcuts"><a href="#">Keyboard Shortcuts</a></li>
                             <li class="divider"></li>
                             {% set
                                 sections = (
                                     (
                                         ("http://ipython.org/documentation.html","IPython Help",True),
                                         ("http://nbviewer.ipython.org/github/ipython/ipython/tree/master/examples/notebooks/", "Notebook Examples", True),
                                         ("http://ipython.org/ipython-doc/stable/interactive/notebook.html","Notebook Help",True),
                                         ("http://ipython.org/ipython-doc/dev/interactive/cm_keyboard.html","Editor Shortcuts",True),
                                     ),(
                                         ("http://docs.python.org","Python",True),
                                         ("http://docs.scipy.org/doc/numpy/reference/","NumPy",True),
                                         ("http://docs.scipy.org/doc/scipy/reference/","SciPy",True),
                                         ("http://matplotlib.org/contents.html","Matplotlib",True),
                                         ("http://docs.sympy.org/dev/index.html","SymPy",True),
                                         ("http://pandas.pydata.org/pandas-docs/stable/","pandas", True)
                                     )
                                 )
                             %}
                             {% for helplinks in sections %}
                                 {% for link in helplinks %}
                                     <li><a href="{{link[0]}}" {{'target="_blank" title="Opens in a new window"' if link[2]}}>
                                     {{'<i class="icon-external-link menu-icon pull-right"></i>' if link[2]}}
                                     {{link[1]}}
                                     </a></li>
                                 {% endfor %}
                                 {% if not loop.last %}
                                     <li class="divider"></li>
                                 {% endif %}
                             {% endfor %}
                             </li>
                         </ul>
                     </li>
                 </ul>
                 <div id="kernel_indicator" class="indicator_area pull-right">
                    <i id="kernel_indicator_icon"></i>
                 </div>
                 <div id="modal_indicator" class="indicator_area pull-right">
                    <i id="modal_indicator_icon"></i>
                 </div>
                 <div id="notification_area"></div>
                 </div>
               </div>
             </div>
             </div>
             <div id="maintoolbar" class="navbar">
               <div class="toolbar-inner navbar-inner navbar-nobg">
                 <div id="maintoolbar-container" class="container"></div>
               </div>
             </div>
             </div>
             <div id="ipython-main-app">
                 <div id="notebook_panel">
                     <div id="notebook"></div>
                     <div id="pager_splitter"></div>
                     <div id="pager">
                         <div id='pager_button_area'>
                         </div>
                         <div id="pager-container" class="container"></div>
                     </div>
                 </div>
             </div>
             <div id='tooltip' class='ipython_tooltip' style='display:none'></div>
             {% endblock %}
             {% block script %}
             {{super()}}
-            <script src="{{ static_url("components/google-caja/google-caja/html-sanitizer-minified.js") }}" charset="utf-8"></script>
+            <script src="{{ static_url("components/google-caja/html-css-sanitizer-minified.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/lib/codemirror.js") }}" charset="utf-8"></script>
             <script type="text/javascript">
                 CodeMirror.modeURL = "{{ static_url("components/codemirror/mode/%N/%N.js", include_version=False) }}";
             </script>
             <script src="{{ static_url("components/codemirror/addon/mode/loadmode.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/addon/mode/multiplex.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/addon/mode/overlay.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/addon/edit/matchbrackets.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/addon/edit/closebrackets.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/addon/comment/comment.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/mode/htmlmixed/htmlmixed.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/mode/xml/xml.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/mode/javascript/javascript.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/mode/css/css.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/mode/rst/rst.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/mode/markdown/markdown.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/mode/gfm/gfm.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/codemirror/mode/python/python.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/codemirror-ipython.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("components/highlight.js/build/highlight.pack.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("dateformat/date.format.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("base/js/events.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("base/js/utils.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("base/js/keyboard.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("base/js/security.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("base/js/dialog.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("services/kernels/js/kernel.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("services/kernels/js/comm.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("services/sessions/js/session.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/layoutmanager.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/mathjaxutils.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/outputarea.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/cell.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/celltoolbar.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/codecell.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/completer.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/textcell.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/savewidget.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/quickhelp.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/pager.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/menubar.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/toolbar.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/maintoolbar.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/notebook.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/keyboardmanager.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/notificationwidget.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/notificationarea.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/tooltip.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/config.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/main.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/contexthint.js") }}" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/celltoolbarpresets/default.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/celltoolbarpresets/rawcell.js") }}" type="text/javascript" charset="utf-8"></script>
             <script src="{{ static_url("notebook/js/celltoolbarpresets/slideshow.js") }}" type="text/javascript" charset="utf-8"></script>
             {% endblock %}

IPython/html/tests/base/security.js

0 +6 -1

             safe_tests = [
                 "<p>Hi there</p>",
                 '<h1 class="foo">Hi There!</h1>',
                 '<a data-cite="foo">citation</a>',
                 '<div><span>Hi There</span></div>',
+                '<style>div.foo { background: #ffff; }</style>',
             ];
             unsafe_tests = [
                 "<script>alert(999);</script>",
                 '<a onmouseover="alert(999)">999</a>',
                 '<a onmouseover=alert(999)>999</a>',
                 '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
                 '<IMG SRC=# onmouseover="alert(999)">',
                 '<<SCRIPT>alert(999);//<</SCRIPT>',
                 '<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',
                 '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
                 '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
                 '<IFRAME SRC="javascript:alert(999);"></IFRAME>',
                 '<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
-                '<style type="text/css">div.foo { background: #ffff; }</style>',
+                '<style src="http://untrusted/style.css"></style>',
                 '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
             ];
             casper.notebook_test(function () {
                 this.each(safe_tests, function (self, item) {
                     var is_safe = self.evaluate(function (item) {
                         return IPython.security.is_safe(item);
                     }, item);
+                    var sanitized = self.evaluate(function (item) {
+                        return IPython.security.sanitize_html(item);
+                    }, item);
                     this.test.assert(is_safe, "Safe: " + item);
                 });
                 this.each(unsafe_tests, function (self, item) {
                     var is_safe = self.evaluate(function (item) {
                         return IPython.security.is_safe(item);
                     }, item);
                     this.test.assert(!is_safe, "Unsafe: " + item);
                     var sanitized = self.evaluate(function (item) {
                         return IPython.security.sanitize_html(item);
                     }, item);
                     this.test.assertEquals(sanitized.indexOf("alert"), -1, "Sanitized " + item);
                 });
             });

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages