Show More
| @@ -0,0 +1,52 b'' | |||||
|
|
1 | //---------------------------------------------------------------------------- | |||
|
|
2 | // Copyright (C) 2014 The IPython Development Team | |||
|
|
3 | // | |||
|
|
4 | // Distributed under the terms of the BSD License. The full license is in | |||
|
|
5 | // the file COPYING, distributed as part of this software. | |||
|
|
6 | //---------------------------------------------------------------------------- | |||
|
|
7 | ||||
|
|
8 | //============================================================================ | |||
|
|
9 | // Utilities | |||
|
|
10 | //============================================================================ | |||
|
|
11 | IPython.namespace('IPython.security'); | |||
|
|
12 | ||||
|
|
13 | IPython.security = (function (IPython) { | |||
|
|
14 | "use strict"; | |||
|
|
15 | ||||
|
|
16 | var utils = IPython.utils; | |||
|
|
17 | ||||
|
|
18 | var is_safe = function (html) { | |||
|
|
19 | // Is the html string safe against JavaScript based attacks. This | |||
|
|
20 | // detects 1) black listed tags, 2) blacklisted attributes, 3) all | |||
|
|
21 | // event attributes (onhover, onclick, etc.). | |||
|
|
22 | var black_tags = ['script', 'style']; | |||
|
|
23 | var black_attrs = ['style']; | |||
|
|
24 | var wrapped_html = '<div>'+html+'</div>'; | |||
|
|
25 | var e = $(wrapped_html); | |||
|
|
26 | var safe = true; | |||
|
|
27 | // Detect black listed tags | |||
|
|
28 | $.map(black_tags, function (tag, index) { | |||
|
|
29 | if (e.find(tag).length > 0) { | |||
|
|
30 | safe = false; | |||
|
|
31 | } | |||
|
|
32 | }); | |||
|
|
33 | // Detect black listed attributes | |||
|
|
34 | $.map(black_attrs, function (attr, index) { | |||
|
|
35 | if (e.find('['+attr+']').length > 0) { | |||
|
|
36 | safe = false; | |||
|
|
37 | } | |||
|
|
38 | }); | |||
|
|
39 | e.find('*').each(function (index) { | |||
|
|
40 | $.map(utils.get_attr_names($(this)), function (attr, index) { | |||
|
|
41 | if (attr.match('^on')) {safe = false;} | |||
|
|
42 | }); | |||
|
|
43 | }) | |||
|
|
44 | return safe; | |||
|
|
45 | } | |||
|
|
46 | ||||
|
|
47 | return { | |||
|
|
48 | is_safe: is_safe | |||
|
|
49 | }; | |||
|
|
50 | ||||
|
|
51 | }(IPython)); | |||
|
|
52 | ||||
| @@ -488,6 +488,15 b' IPython.utils = (function (IPython) {' | |||||
| 488 | } |
|
488 | } | |
| 489 | } |
|
489 | } | |
| 490 |
|
490 | |||
|
|
491 | var get_attr_names = function (e) { | |||
|
|
492 | // Get the names of all the HTML attributes of the element e. | |||
|
|
493 | var el = $(e)[0]; | |||
|
|
494 | var arr = []; | |||
|
|
495 | for (var i=0, attrs=el.attributes, l=attrs.length; i<l; i++){ | |||
|
|
496 | arr.push(attrs.item(i).nodeName); | |||
|
|
497 | } | |||
|
|
498 | return arr; | |||
|
|
499 | } | |||
| 491 |
|
500 | |||
| 492 | return { |
|
501 | return { | |
| 493 | regex_split : regex_split, |
|
502 | regex_split : regex_split, | |
| @@ -507,7 +516,8 b' IPython.utils = (function (IPython) {' | |||||
| 507 | browser : browser, |
|
516 | browser : browser, | |
| 508 | platform: platform, |
|
517 | platform: platform, | |
| 509 | is_or_has : is_or_has, |
|
518 | is_or_has : is_or_has, | |
| 510 | is_focused : is_focused |
|
519 | is_focused : is_focused, | |
|
|
520 | get_attr_names: get_attr_names | |||
| 511 | }; |
|
521 | }; | |
| 512 |
|
522 | |||
| 513 | }(IPython)); |
|
523 | }(IPython)); | |
| @@ -20,7 +20,12 b' var IPython = (function (IPython) {' | |||||
| 20 | "use strict"; |
|
20 | "use strict"; | |
| 21 |
|
21 | |||
| 22 | // TextCell base class |
|
22 | // TextCell base class | |
|
|
23 | <<<<<<< HEAD | |||
| 23 | var keycodes = IPython.keyboard.keycodes; |
|
24 | var keycodes = IPython.keyboard.keycodes; | |
|
|
25 | ======= | |||
|
|
26 | var key = IPython.utils.keycodes; | |||
|
|
27 | var security = IPython.security; | |||
|
|
28 | >>>>>>> 8e23f06... Adding security.js with 1st attempt at is_safe. | |||
| 24 |
|
29 | |||
| 25 | /** |
|
30 | /** | |
| 26 | * Construct a new TextCell, codemirror mode is by default 'htmlmixed', and cell type is 'text' |
|
31 | * Construct a new TextCell, codemirror mode is by default 'htmlmixed', and cell type is 'text' | |
| @@ -318,6 +318,7 b' class="notebook_app"' | |||||
| 318 | <script src="{{ static_url("base/js/events.js") }}" type="text/javascript" charset="utf-8"></script> |
|
318 | <script src="{{ static_url("base/js/events.js") }}" type="text/javascript" charset="utf-8"></script> | |
| 319 | <script src="{{ static_url("base/js/utils.js") }}" type="text/javascript" charset="utf-8"></script> |
|
319 | <script src="{{ static_url("base/js/utils.js") }}" type="text/javascript" charset="utf-8"></script> | |
| 320 | <script src="{{ static_url("base/js/keyboard.js") }}" type="text/javascript" charset="utf-8"></script> |
|
320 | <script src="{{ static_url("base/js/keyboard.js") }}" type="text/javascript" charset="utf-8"></script> | |
|
|
321 | <script src="{{ static_url("base/js/security.js") }}" type="text/javascript" charset="utf-8"></script> | |||
| 321 | <script src="{{ static_url("base/js/dialog.js") }}" type="text/javascript" charset="utf-8"></script> |
|
322 | <script src="{{ static_url("base/js/dialog.js") }}" type="text/javascript" charset="utf-8"></script> | |
| 322 | <script src="{{ static_url("services/kernels/js/kernel.js") }}" type="text/javascript" charset="utf-8"></script> |
|
323 | <script src="{{ static_url("services/kernels/js/kernel.js") }}" type="text/javascript" charset="utf-8"></script> | |
| 323 | <script src="{{ static_url("services/kernels/js/comm.js") }}" type="text/javascript" charset="utf-8"></script> |
|
324 | <script src="{{ static_url("services/kernels/js/comm.js") }}" type="text/javascript" charset="utf-8"></script> | |
General Comments 0
You need to be logged in to leave comments.
Login now