##// END OF EJS Templates
upstream » ipython
RSS

Clone from https://github.com/ipython/ipython.git

sanitize CSS...
MinRK -
Show More
Show file before | Show file after | Hide comments
@@ -1,126 +1,177 b''
1 1 //----------------------------------------------------------------------------
2 2 // Copyright (C) 2014 The IPython Development Team
3 3 //
4 4 // Distributed under the terms of the BSD License. The full license is in
5 5 // the file COPYING, distributed as part of this software.
6 6 //----------------------------------------------------------------------------
7 7
8 8 //============================================================================
9 9 // Utilities
10 10 //============================================================================
11 11 IPython.namespace('IPython.security');
12 12
13 13 IPython.security = (function (IPython) {
14 14 "use strict";
15 15
16 16 var utils = IPython.utils;
17 17
18 18 var noop = function (x) { return x; };
19 19
20 20 var cmp_tree = function (a, b) {
21 21 // compare two HTML trees
22 22 // only checks the tag structure is preserved,
23 23 // not any attributes or contents
24 24 if (a.length !== b.length) {
25 25 return false;
26 26 }
27 27
28 28 for (var i = a.length - 1; i >= 0; i--) {
29 29 if ((a[i].tagName || '').toLowerCase() != (b[i].tagName || '').toLowerCase()) {
30 30 return false;
31 31 }
32 32 }
33 33 var ac = a.children();
34 34 var bc = b.children();
35 35 if (ac.length === 0 && bc.length === 0) {
36 36 return true;
37 37 }
38 38 return cmp_tree(ac, bc);
39 39 };
40 40
41 41 var caja;
42 42 if (window && window.html) {
43 43 caja = window.html;
44 44 caja.html4 = window.html4;
45 caja.sanitizeStylesheet = window.sanitizeStylesheet;
45 46 }
46 47
47 48 var sanitizeAttribs = function (tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) {
48 49 // wrap sanitizeAttribs into trusting data-attributes
49 50 var ATTRIBS = caja.html4.ATTRIBS;
50 51 for (var i = 0; i < attribs.length; i += 2) {
51 52 var attribName = attribs[i];
52 53 if (attribName.substr(0,5) == 'data-') {
53 54 var attribKey = '*::' + attribName;
54 55 if (!ATTRIBS.hasOwnProperty(attribKey)) {
55 56 ATTRIBS[attribKey] = 0;
56 57 }
57 58 }
58 59 }
59 60 return caja.sanitizeAttribs(tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger);
60 61 };
61 62
62 var sanitize = function (html, log) {
63 var sanitize_css = function (css, tagPolicy) {
64 return caja.sanitizeStylesheet(
65 window.location.pathname,
66 css,
67 {
68 containerClass: null,
69 idSuffix: '',
70 tagPolicy: tagPolicy,
71 virtualizeAttrName: noop
72 },
73 noop
74 );
75 };
76
77 var sanitize_stylesheets = function (html, tagPolicy) {
78 var h = $("<div/>").append(html);
79 var style_tags = h.find("style");
80 if (!style_tags.length) {
81 // no style tags to sanitize
82 return html;
83 }
84 style_tags.each(function(i, style) {
85 style.innerHTML = sanitize_css(style.innerHTML, tagPolicy);
86 });
87 return h.html();
88 };
89
90 var sanitize = function (html, allow_css) {
63 91 // sanitize HTML
92 // if allow_css is true (default), CSS is sanitized as well.
93 // otherwise, CSS elements and attributes are simply removed.
64 94 // returns a struct of
65 95 // {
66 96 // src: original_html,
67 97 // sanitized: the_sanitized_html,
68 98 // _maybe_safe: bool // false if the sanitizer definitely made changes.
69 99 // This is an incomplete indication,
70 100 // only used to indicate whether further verification is necessary.
71 101 // }
102 var html4 = caja.html4;
103
104 if (allow_css === undefined) allow_css = true;
105 if (allow_css) {
106 // allow sanitization of style tags,
107 // not just scrubbing
108 html4.ELEMENTS.style &= ~html4.eflags.UNSAFE;
109 html4.ATTRIBS.style = html4.atype.STYLE;
110 } else {
111 // scrub all CSS
112 html4.ELEMENTS.style |= html4.eflags.UNSAFE;
113 html4.ATTRIBS.style = html4.atype.SCRIPT;
114 }
115
72 116 var result = {
73 117 src : html,
74 118 _maybe_safe : true
75 119 };
76 120 var record_messages = function (msg, opts) {
77 121 console.log("HTML Sanitizer", msg, opts);
78 122 result._maybe_safe = false;
79 123 };
80 124
81 var html4 = caja.html4;
82 125 var policy = function (tagName, attribs) {
83 126 if (!(html4.ELEMENTS[tagName] & html4.eflags.UNSAFE)) {
84 127 return {
85 128 'attribs': sanitizeAttribs(tagName, attribs,
86 129 noop, noop, record_messages)
87 130 };
88 131 } else {
89 132 record_messages(tagName + " removed", {
90 133 change: "removed",
91 134 tagName: tagName
92 135 });
93 136 }
94 137 };
95
138
96 139 result.sanitized = caja.sanitizeWithPolicy(html, policy);
140
141 if (allow_css) {
142 // sanitize style tags as stylesheets
143 result.sanitized = sanitize_stylesheets(result.sanitized, policy);
144 }
145
97 146 return result;
98 147 };
99 148
100 149 var sanitize_html = function (html) {
101 150 // shorthand for str-to-str conversion, dropping the struct
102 151 return sanitize(html).sanitized;
103 152 };
104 153
105 154 var is_safe = function (html) {
106 155 // just return bool for whether an HTML string is safe
156 // this is not currently used for anything other than tests.
107 157 var result = sanitize(html);
108 158
109 159 // caja can strip whole elements without logging,
110 160 // so double-check that node structure didn't change
111 161 if (result._maybe_safe) {
112 162 result.safe = cmp_tree($(result.sanitized), $(html));
113 163 } else {
114 164 result.safe = false;
115 165 }
116 166 return result.safe;
117 167 };
118 168
119 169 return {
170 caja: caja,
120 171 is_safe: is_safe,
121 172 sanitize: sanitize,
122 173 sanitize_html: sanitize_html
123 174 };
124 175
125 176 }(IPython));
126 177
Show file before | Show file after | Hide comments
@@ -1,355 +1,355 b''
1 1 {% extends "page.html" %}
2 2
3 3 {% block stylesheet %}
4 4
5 5 {% if mathjax_url %}
6 6 <script type="text/javascript" src="{{mathjax_url}}?config=TeX-AMS_HTML-full&delayStartupUntil=configured" charset="utf-8"></script>
7 7 {% endif %}
8 8 <script type="text/javascript">
9 9 // MathJax disabled, set as null to distingish from *missing* MathJax,
10 10 // where it will be undefined, and should prompt a dialog later.
11 11 window.mathjax_url = "{{mathjax_url}}";
12 12 </script>
13 13
14 14 <link rel="stylesheet" href="{{ static_url("components/codemirror/lib/codemirror.css") }}">
15 15
16 16 {{super()}}
17 17
18 18 <link rel="stylesheet" href="{{ static_url("notebook/css/override.css") }}" type="text/css" />
19 19
20 20 {% endblock %}
21 21
22 22 {% block params %}
23 23
24 24 data-project="{{project}}"
25 25 data-base-url="{{base_url}}"
26 26 data-notebook-name="{{notebook_name}}"
27 27 data-notebook-path="{{notebook_path}}"
28 28 class="notebook_app"
29 29
30 30 {% endblock %}
31 31
32 32
33 33 {% block header %}
34 34
35 35 <span id="save_widget" class="nav pull-left">
36 36 <span id="notebook_name"></span>
37 37 <span id="checkpoint_status"></span>
38 38 <span id="autosave_status"></span>
39 39 </span>
40 40
41 41 {% endblock %}
42 42
43 43
44 44 {% block site %}
45 45
46 46 <div id="menubar-container" class="container">
47 47 <div id="menubar">
48 48 <div class="navbar">
49 49 <div class="navbar-inner">
50 50 <div class="container">
51 51 <ul id="menus" class="nav">
52 52 <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">File</a>
53 53 <ul id="file_menu" class="dropdown-menu">
54 54 <li id="new_notebook"
55 55 title="Make a new notebook (Opens a new window)">
56 56 <a href="#">New</a></li>
57 57 <li id="open_notebook"
58 58 title="Opens a new window with the Dashboard view">
59 59 <a href="#">Open...</a></li>
60 60 <!-- <hr/> -->
61 61 <li class="divider"></li>
62 62 <li id="copy_notebook"
63 63 title="Open a copy of this notebook's contents and start a new kernel">
64 64 <a href="#">Make a Copy...</a></li>
65 65 <li id="rename_notebook"><a href="#">Rename...</a></li>
66 66 <li id="save_checkpoint"><a href="#">Save and Checkpoint</a></li>
67 67 <!-- <hr/> -->
68 68 <li class="divider"></li>
69 69 <li id="restore_checkpoint" class="dropdown-submenu"><a href="#">Revert to Checkpoint</a>
70 70 <ul class="dropdown-menu">
71 71 <li><a href="#"></a></li>
72 72 <li><a href="#"></a></li>
73 73 <li><a href="#"></a></li>
74 74 <li><a href="#"></a></li>
75 75 <li><a href="#"></a></li>
76 76 </ul>
77 77 </li>
78 78 <li class="divider"></li>
79 79 <li id="print_preview"><a href="#">Print Preview</a></li>
80 80 <li class="dropdown-submenu"><a href="#">Download as</a>
81 81 <ul class="dropdown-menu">
82 82 <li id="download_ipynb"><a href="#">IPython Notebook (.ipynb)</a></li>
83 83 <li id="download_py"><a href="#">Python (.py)</a></li>
84 84 <li id="download_html"><a href="#">HTML (.html)</a></li>
85 85 <li id="download_rst"><a href="#">reST (.rst)</a></li>
86 86 </ul>
87 87 </li>
88 88 <li class="divider"></li>
89 89
90 90 <li id="kill_and_exit"
91 91 title="Shutdown this notebook's kernel, and close this window">
92 92 <a href="#" >Close and halt</a></li>
93 93 </ul>
94 94 </li>
95 95 <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">Edit</a>
96 96 <ul id="edit_menu" class="dropdown-menu">
97 97 <li id="cut_cell"><a href="#">Cut Cell</a></li>
98 98 <li id="copy_cell"><a href="#">Copy Cell</a></li>
99 99 <li id="paste_cell_above" class="disabled"><a href="#">Paste Cell Above</a></li>
100 100 <li id="paste_cell_below" class="disabled"><a href="#">Paste Cell Below</a></li>
101 101 <li id="paste_cell_replace" class="disabled"><a href="#">Paste Cell &amp; Replace</a></li>
102 102 <li id="delete_cell"><a href="#">Delete Cell</a></li>
103 103 <li id="undelete_cell" class="disabled"><a href="#">Undo Delete Cell</a></li>
104 104 <li class="divider"></li>
105 105 <li id="split_cell"><a href="#">Split Cell</a></li>
106 106 <li id="merge_cell_above"><a href="#">Merge Cell Above</a></li>
107 107 <li id="merge_cell_below"><a href="#">Merge Cell Below</a></li>
108 108 <li class="divider"></li>
109 109 <li id="move_cell_up"><a href="#">Move Cell Up</a></li>
110 110 <li id="move_cell_down"><a href="#">Move Cell Down</a></li>
111 111 <li class="divider"></li>
112 112 <li id="edit_nb_metadata"><a href="#">Edit Notebook Metadata</a></li>
113 113 </ul>
114 114 </li>
115 115 <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">View</a>
116 116 <ul id="view_menu" class="dropdown-menu">
117 117 <li id="toggle_header"
118 118 title="Show/Hide the IPython Notebook logo and notebook title (above menu bar)">
119 119 <a href="#">Toggle Header</a></li>
120 120 <li id="toggle_toolbar"
121 121 title="Show/Hide the action icons (below menu bar)">
122 122 <a href="#">Toggle Toolbar</a></li>
123 123 </ul>
124 124 </li>
125 125 <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">Insert</a>
126 126 <ul id="insert_menu" class="dropdown-menu">
127 127 <li id="insert_cell_above"
128 128 title="Insert an empty Code cell above the currently active cell">
129 129 <a href="#">Insert Cell Above</a></li>
130 130 <li id="insert_cell_below"
131 131 title="Insert an empty Code cell below the currently active cell">
132 132 <a href="#">Insert Cell Below</a></li>
133 133 </ul>
134 134 </li>
135 135 <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">Cell</a>
136 136 <ul id="cell_menu" class="dropdown-menu">
137 137 <li id="run_cell" title="Run this cell, and move cursor to the next one">
138 138 <a href="#">Run</a></li>
139 139 <li id="run_cell_select_below" title="Run this cell, select below">
140 140 <a href="#">Run and Select Below</a></li>
141 141 <li id="run_cell_insert_below" title="Run this cell, insert below">
142 142 <a href="#">Run and Insert Below</a></li>
143 143 <li id="run_all_cells" title="Run all cells in the notebook">
144 144 <a href="#">Run All</a></li>
145 145 <li id="run_all_cells_above" title="Run all cells above (but not including) this cell">
146 146 <a href="#">Run All Above</a></li>
147 147 <li id="run_all_cells_below" title="Run this cell and all cells below it">
148 148 <a href="#">Run All Below</a></li>
149 149 <li class="divider"></li>
150 150 <li id="change_cell_type" class="dropdown-submenu"
151 151 title="All cells in the notebook have a cell type. By default, new cells are created as 'Code' cells">
152 152 <a href="#">Cell Type</a>
153 153 <ul class="dropdown-menu">
154 154 <li id="to_code"
155 155 title="Contents will be sent to the kernel for execution, and output will display in the footer of cell">
156 156 <a href="#">Code</a></li>
157 157 <li id="to_markdown"
158 158 title="Contents will be rendered as HTML and serve as explanatory text">
159 159 <a href="#">Markdown</a></li>
160 160 <li id="to_raw"
161 161 title="Contents will pass through nbconvert unmodified">
162 162 <a href="#">Raw NBConvert</a></li>
163 163 <li id="to_heading1"><a href="#">Heading 1</a></li>
164 164 <li id="to_heading2"><a href="#">Heading 2</a></li>
165 165 <li id="to_heading3"><a href="#">Heading 3</a></li>
166 166 <li id="to_heading4"><a href="#">Heading 4</a></li>
167 167 <li id="to_heading5"><a href="#">Heading 5</a></li>
168 168 <li id="to_heading6"><a href="#">Heading 6</a></li>
169 169 </ul>
170 170 </li>
171 171 <li class="divider"></li>
172 172 <li id="current_outputs" class="dropdown-submenu"><a href="#">Current Output</a>
173 173 <ul class="dropdown-menu">
174 174 <li id="toggle_current_output"
175 175 title="Hide/Show the output of the current cell">
176 176 <a href="#">Toggle</a>
177 177 </li>
178 178 <li id="toggle_current_output_scroll"
179 179 title="Scroll the output of the current cell">
180 180 <a href="#">Toggle Scrolling</a>
181 181 </li>
182 182 <li id="clear_current_output"
183 183 title="Clear the output of the current cell">
184 184 <a href="#">Clear</a>
185 185 </li>
186 186 </ul>
187 187 </li>
188 188 <li id="all_outputs" class="dropdown-submenu"><a href="#">All Output</a>
189 189 <ul class="dropdown-menu">
190 190 <li id="toggle_all_output"
191 191 title="Hide/Show the output of all cells">
192 192 <a href="#">Toggle</a>
193 193 </li>
194 194 <li id="toggle_all_output_scroll"
195 195 title="Scroll the output of all cells">
196 196 <a href="#">Toggle Scrolling</a>
197 197 </li>
198 198 <li id="clear_all_output"
199 199 title="Clear the output of all cells">
200 200 <a href="#">Clear</a>
201 201 </li>
202 202 </ul>
203 203 </li>
204 204 </ul>
205 205 </li>
206 206 <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">Kernel</a>
207 207 <ul id="kernel_menu" class="dropdown-menu">
208 208 <li id="int_kernel"
209 209 title="Send KeyboardInterrupt (CTRL-C) to the Kernel">
210 210 <a href="#">Interrupt</a></li>
211 211 <li id="restart_kernel"
212 212 title="Restart the Kernel">
213 213 <a href="#">Restart</a></li>
214 214 </ul>
215 215 </li>
216 216 <li class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown">Help</a>
217 217 <ul id="help_menu" class="dropdown-menu">
218 218 <li id="keyboard_shortcuts" title="Opens a tooltip with all keyboard shortcuts"><a href="#">Keyboard Shortcuts</a></li>
219 219 <li class="divider"></li>
220 220 {% set
221 221 sections = (
222 222 (
223 223 ("http://ipython.org/documentation.html","IPython Help",True),
224 224 ("http://nbviewer.ipython.org/github/ipython/ipython/tree/master/examples/notebooks/", "Notebook Examples", True),
225 225 ("http://ipython.org/ipython-doc/stable/interactive/notebook.html","Notebook Help",True),
226 226 ("http://ipython.org/ipython-doc/dev/interactive/cm_keyboard.html","Editor Shortcuts",True),
227 227 ),(
228 228 ("http://docs.python.org","Python",True),
229 229 ("http://docs.scipy.org/doc/numpy/reference/","NumPy",True),
230 230 ("http://docs.scipy.org/doc/scipy/reference/","SciPy",True),
231 231 ("http://matplotlib.org/contents.html","Matplotlib",True),
232 232 ("http://docs.sympy.org/dev/index.html","SymPy",True),
233 233 ("http://pandas.pydata.org/pandas-docs/stable/","pandas", True)
234 234 )
235 235 )
236 236 %}
237 237
238 238 {% for helplinks in sections %}
239 239 {% for link in helplinks %}
240 240 <li><a href="{{link[0]}}" {{'target="_blank" title="Opens in a new window"' if link[2]}}>
241 241 {{'<i class="icon-external-link menu-icon pull-right"></i>' if link[2]}}
242 242 {{link[1]}}
243 243 </a></li>
244 244 {% endfor %}
245 245 {% if not loop.last %}
246 246 <li class="divider"></li>
247 247 {% endif %}
248 248 {% endfor %}
249 249 </li>
250 250 </ul>
251 251 </li>
252 252 </ul>
253 253 <div id="kernel_indicator" class="indicator_area pull-right">
254 254 <i id="kernel_indicator_icon"></i>
255 255 </div>
256 256 <div id="modal_indicator" class="indicator_area pull-right">
257 257 <i id="modal_indicator_icon"></i>
258 258 </div>
259 259 <div id="notification_area"></div>
260 260 </div>
261 261 </div>
262 262 </div>
263 263 </div>
264 264 <div id="maintoolbar" class="navbar">
265 265 <div class="toolbar-inner navbar-inner navbar-nobg">
266 266 <div id="maintoolbar-container" class="container"></div>
267 267 </div>
268 268 </div>
269 269 </div>
270 270
271 271 <div id="ipython-main-app">
272 272
273 273 <div id="notebook_panel">
274 274 <div id="notebook"></div>
275 275 <div id="pager_splitter"></div>
276 276 <div id="pager">
277 277 <div id='pager_button_area'>
278 278 </div>
279 279 <div id="pager-container" class="container"></div>
280 280 </div>
281 281 </div>
282 282
283 283 </div>
284 284 <div id='tooltip' class='ipython_tooltip' style='display:none'></div>
285 285
286 286
287 287 {% endblock %}
288 288
289 289
290 290 {% block script %}
291 291
292 292 {{super()}}
293 293
294 <script src="{{ static_url("components/google-caja/google-caja/html-sanitizer-minified.js") }}" charset="utf-8"></script>
294 <script src="{{ static_url("components/google-caja/html-css-sanitizer-minified.js") }}" charset="utf-8"></script>
295 295 <script src="{{ static_url("components/codemirror/lib/codemirror.js") }}" charset="utf-8"></script>
296 296 <script type="text/javascript">
297 297 CodeMirror.modeURL = "{{ static_url("components/codemirror/mode/%N/%N.js", include_version=False) }}";
298 298 </script>
299 299 <script src="{{ static_url("components/codemirror/addon/mode/loadmode.js") }}" charset="utf-8"></script>
300 300 <script src="{{ static_url("components/codemirror/addon/mode/multiplex.js") }}" charset="utf-8"></script>
301 301 <script src="{{ static_url("components/codemirror/addon/mode/overlay.js") }}" charset="utf-8"></script>
302 302 <script src="{{ static_url("components/codemirror/addon/edit/matchbrackets.js") }}" charset="utf-8"></script>
303 303 <script src="{{ static_url("components/codemirror/addon/edit/closebrackets.js") }}" charset="utf-8"></script>
304 304 <script src="{{ static_url("components/codemirror/addon/comment/comment.js") }}" charset="utf-8"></script>
305 305 <script src="{{ static_url("components/codemirror/mode/htmlmixed/htmlmixed.js") }}" charset="utf-8"></script>
306 306 <script src="{{ static_url("components/codemirror/mode/xml/xml.js") }}" charset="utf-8"></script>
307 307 <script src="{{ static_url("components/codemirror/mode/javascript/javascript.js") }}" charset="utf-8"></script>
308 308 <script src="{{ static_url("components/codemirror/mode/css/css.js") }}" charset="utf-8"></script>
309 309 <script src="{{ static_url("components/codemirror/mode/rst/rst.js") }}" charset="utf-8"></script>
310 310 <script src="{{ static_url("components/codemirror/mode/markdown/markdown.js") }}" charset="utf-8"></script>
311 311 <script src="{{ static_url("components/codemirror/mode/gfm/gfm.js") }}" charset="utf-8"></script>
312 312 <script src="{{ static_url("components/codemirror/mode/python/python.js") }}" charset="utf-8"></script>
313 313 <script src="{{ static_url("notebook/js/codemirror-ipython.js") }}" charset="utf-8"></script>
314 314
315 315 <script src="{{ static_url("components/highlight.js/build/highlight.pack.js") }}" charset="utf-8"></script>
316 316
317 317 <script src="{{ static_url("dateformat/date.format.js") }}" charset="utf-8"></script>
318 318
319 319 <script src="{{ static_url("base/js/events.js") }}" type="text/javascript" charset="utf-8"></script>
320 320 <script src="{{ static_url("base/js/utils.js") }}" type="text/javascript" charset="utf-8"></script>
321 321 <script src="{{ static_url("base/js/keyboard.js") }}" type="text/javascript" charset="utf-8"></script>
322 322 <script src="{{ static_url("base/js/security.js") }}" type="text/javascript" charset="utf-8"></script>
323 323 <script src="{{ static_url("base/js/dialog.js") }}" type="text/javascript" charset="utf-8"></script>
324 324 <script src="{{ static_url("services/kernels/js/kernel.js") }}" type="text/javascript" charset="utf-8"></script>
325 325 <script src="{{ static_url("services/kernels/js/comm.js") }}" type="text/javascript" charset="utf-8"></script>
326 326 <script src="{{ static_url("services/sessions/js/session.js") }}" type="text/javascript" charset="utf-8"></script>
327 327 <script src="{{ static_url("notebook/js/layoutmanager.js") }}" type="text/javascript" charset="utf-8"></script>
328 328 <script src="{{ static_url("notebook/js/mathjaxutils.js") }}" type="text/javascript" charset="utf-8"></script>
329 329 <script src="{{ static_url("notebook/js/outputarea.js") }}" type="text/javascript" charset="utf-8"></script>
330 330 <script src="{{ static_url("notebook/js/cell.js") }}" type="text/javascript" charset="utf-8"></script>
331 331 <script src="{{ static_url("notebook/js/celltoolbar.js") }}" type="text/javascript" charset="utf-8"></script>
332 332 <script src="{{ static_url("notebook/js/codecell.js") }}" type="text/javascript" charset="utf-8"></script>
333 333 <script src="{{ static_url("notebook/js/completer.js") }}" type="text/javascript" charset="utf-8"></script>
334 334 <script src="{{ static_url("notebook/js/textcell.js") }}" type="text/javascript" charset="utf-8"></script>
335 335 <script src="{{ static_url("notebook/js/savewidget.js") }}" type="text/javascript" charset="utf-8"></script>
336 336 <script src="{{ static_url("notebook/js/quickhelp.js") }}" type="text/javascript" charset="utf-8"></script>
337 337 <script src="{{ static_url("notebook/js/pager.js") }}" type="text/javascript" charset="utf-8"></script>
338 338 <script src="{{ static_url("notebook/js/menubar.js") }}" type="text/javascript" charset="utf-8"></script>
339 339 <script src="{{ static_url("notebook/js/toolbar.js") }}" type="text/javascript" charset="utf-8"></script>
340 340 <script src="{{ static_url("notebook/js/maintoolbar.js") }}" type="text/javascript" charset="utf-8"></script>
341 341 <script src="{{ static_url("notebook/js/notebook.js") }}" type="text/javascript" charset="utf-8"></script>
342 342 <script src="{{ static_url("notebook/js/keyboardmanager.js") }}" type="text/javascript" charset="utf-8"></script>
343 343 <script src="{{ static_url("notebook/js/notificationwidget.js") }}" type="text/javascript" charset="utf-8"></script>
344 344 <script src="{{ static_url("notebook/js/notificationarea.js") }}" type="text/javascript" charset="utf-8"></script>
345 345 <script src="{{ static_url("notebook/js/tooltip.js") }}" type="text/javascript" charset="utf-8"></script>
346 346 <script src="{{ static_url("notebook/js/config.js") }}" type="text/javascript" charset="utf-8"></script>
347 347 <script src="{{ static_url("notebook/js/main.js") }}" type="text/javascript" charset="utf-8"></script>
348 348
349 349 <script src="{{ static_url("notebook/js/contexthint.js") }}" charset="utf-8"></script>
350 350
351 351 <script src="{{ static_url("notebook/js/celltoolbarpresets/default.js") }}" type="text/javascript" charset="utf-8"></script>
352 352 <script src="{{ static_url("notebook/js/celltoolbarpresets/rawcell.js") }}" type="text/javascript" charset="utf-8"></script>
353 353 <script src="{{ static_url("notebook/js/celltoolbarpresets/slideshow.js") }}" type="text/javascript" charset="utf-8"></script>
354 354
355 355 {% endblock %}
Show file before | Show file after | Hide comments
@@ -1,41 +1,46 b''
1 1 safe_tests = [
2 2 "<p>Hi there</p>",
3 3 '<h1 class="foo">Hi There!</h1>',
4 4 '<a data-cite="foo">citation</a>',
5 5 '<div><span>Hi There</span></div>',
6 '<style>div.foo { background: #ffff; }</style>',
6 7 ];
7 8
8 9 unsafe_tests = [
9 10 "<script>alert(999);</script>",
10 11 '<a onmouseover="alert(999)">999</a>',
11 12 '<a onmouseover=alert(999)>999</a>',
12 13 '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
13 14 '<IMG SRC=# onmouseover="alert(999)">',
14 15 '<<SCRIPT>alert(999);//<</SCRIPT>',
15 16 '<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',
16 17 '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
17 18 '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
18 19 '<IFRAME SRC="javascript:alert(999);"></IFRAME>',
19 20 '<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
20 '<style type="text/css">div.foo { background: #ffff; }</style>',
21 '<style src="http://untrusted/style.css"></style>',
21 22 '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
22 23 ];
23 24
24 25 casper.notebook_test(function () {
25 26 this.each(safe_tests, function (self, item) {
26 27 var is_safe = self.evaluate(function (item) {
27 28 return IPython.security.is_safe(item);
28 29 }, item);
30 var sanitized = self.evaluate(function (item) {
31 return IPython.security.sanitize_html(item);
32 }, item);
33
29 34 this.test.assert(is_safe, "Safe: " + item);
30 35 });
31 36 this.each(unsafe_tests, function (self, item) {
32 37 var is_safe = self.evaluate(function (item) {
33 38 return IPython.security.is_safe(item);
34 39 }, item);
35 40 this.test.assert(!is_safe, "Unsafe: " + item);
36 41 var sanitized = self.evaluate(function (item) {
37 42 return IPython.security.sanitize_html(item);
38 43 }, item);
39 44 this.test.assertEquals(sanitized.indexOf("alert"), -1, "Sanitized " + item);
40 45 });
41 46 }); No newline at end of file
General Comments 0
You need to be logged in to leave comments. Login now