##// END OF EJS Templates
upstream » ipython
RSS

Clone from https://github.com/ipython/ipython.git

Adding security.js with 1st attempt at is_safe.
Brian E. Granger -
Show More
Show file before | Show file after | Hide comments
@@ -0,0 +1,52 b''
1 //----------------------------------------------------------------------------
2 // Copyright (C) 2014 The IPython Development Team
3 //
4 // Distributed under the terms of the BSD License. The full license is in
5 // the file COPYING, distributed as part of this software.
6 //----------------------------------------------------------------------------
7
8 //============================================================================
9 // Utilities
10 //============================================================================
11 IPython.namespace('IPython.security');
12
13 IPython.security = (function (IPython) {
14 "use strict";
15
16 var utils = IPython.utils;
17
18 var is_safe = function (html) {
19 // Is the html string safe against JavaScript based attacks. This
20 // detects 1) black listed tags, 2) blacklisted attributes, 3) all
21 // event attributes (onhover, onclick, etc.).
22 var black_tags = ['script', 'style'];
23 var black_attrs = ['style'];
24 var wrapped_html = '<div>'+html+'</div>';
25 var e = $(wrapped_html);
26 var safe = true;
27 // Detect black listed tags
28 $.map(black_tags, function (tag, index) {
29 if (e.find(tag).length > 0) {
30 safe = false;
31 }
32 });
33 // Detect black listed attributes
34 $.map(black_attrs, function (attr, index) {
35 if (e.find('['+attr+']').length > 0) {
36 safe = false;
37 }
38 });
39 e.find('*').each(function (index) {
40 $.map(utils.get_attr_names($(this)), function (attr, index) {
41 if (attr.match('^on')) {safe = false;}
42 });
43 })
44 return safe;
45 }
46
47 return {
48 is_safe: is_safe
49 };
50
51 }(IPython));
52
Show file before | Show file after | Hide comments
@@ -488,6 +488,15 b' IPython.utils = (function (IPython) {'
488 488 }
489 489 }
490 490
491 var get_attr_names = function (e) {
492 // Get the names of all the HTML attributes of the element e.
493 var el = $(e)[0];
494 var arr = [];
495 for (var i=0, attrs=el.attributes, l=attrs.length; i<l; i++){
496 arr.push(attrs.item(i).nodeName);
497 }
498 return arr;
499 }
491 500
492 501 return {
493 502 regex_split : regex_split,
@@ -507,7 +516,8 b' IPython.utils = (function (IPython) {'
507 516 browser : browser,
508 517 platform: platform,
509 518 is_or_has : is_or_has,
510 is_focused : is_focused
519 is_focused : is_focused,
520 get_attr_names: get_attr_names
511 521 };
512 522
513 523 }(IPython));
Show file before | Show file after | Hide comments
@@ -20,7 +20,12 b' var IPython = (function (IPython) {'
20 20 "use strict";
21 21
22 22 // TextCell base class
23 <<<<<<< HEAD
23 24 var keycodes = IPython.keyboard.keycodes;
25 =======
26 var key = IPython.utils.keycodes;
27 var security = IPython.security;
28 >>>>>>> 8e23f06... Adding security.js with 1st attempt at is_safe.
24 29
25 30 /**
26 31 * Construct a new TextCell, codemirror mode is by default 'htmlmixed', and cell type is 'text'
Show file before | Show file after | Hide comments
@@ -318,6 +318,7 b' class="notebook_app"'
318 318 <script src="{{ static_url("base/js/events.js") }}" type="text/javascript" charset="utf-8"></script>
319 319 <script src="{{ static_url("base/js/utils.js") }}" type="text/javascript" charset="utf-8"></script>
320 320 <script src="{{ static_url("base/js/keyboard.js") }}" type="text/javascript" charset="utf-8"></script>
321 <script src="{{ static_url("base/js/security.js") }}" type="text/javascript" charset="utf-8"></script>
321 322 <script src="{{ static_url("base/js/dialog.js") }}" type="text/javascript" charset="utf-8"></script>
322 323 <script src="{{ static_url("services/kernels/js/kernel.js") }}" type="text/javascript" charset="utf-8"></script>
323 324 <script src="{{ static_url("services/kernels/js/comm.js") }}" type="text/javascript" charset="utf-8"></script>
General Comments 0
You need to be logged in to leave comments. Login now