Show More
| @@ -14,43 +14,43 b' IPython.security = (function (IPython) {' | |||||
| 14 | "use strict"; |
|
14 | "use strict"; | |
| 15 |
|
15 | |||
| 16 | var utils = IPython.utils; |
|
16 | var utils = IPython.utils; | |
| 17 |
|
17 | |||
|
|
18 | var noop = function (x) { return x; }; | |||
|
|
19 | ||||
|
|
20 | var sanitize = function (html, log) { | |||
|
|
21 | // sanitize HTML | |||
|
|
22 | // returns a struct of | |||
|
|
23 | // { | |||
|
|
24 | // src: original_html, | |||
|
|
25 | // sanitized: the_sanitized_html, | |||
|
|
26 | // safe: bool // false if the sanitizer made any changes | |||
|
|
27 | // } | |||
|
|
28 | var result = { | |||
|
|
29 | src : html, | |||
|
|
30 | safe : true | |||
|
|
31 | }; | |||
|
|
32 | var record_messages = function (msg, opts) { | |||
|
|
33 | console.log("HTML Sanitizer", msg, opts); | |||
|
|
34 | result.safe = false; | |||
|
|
35 | }; | |||
|
|
36 | result.sanitized = window.html_sanitize(html, noop, noop, record_messages); | |||
|
|
37 | return result; | |||
|
|
38 | }; | |||
|
|
39 | ||||
|
|
40 | var sanitize_html = function (html) { | |||
|
|
41 | // shorthand for str-to-str conversion, dropping the struct | |||
|
|
42 | return sanitize(html).sanitized; | |||
|
|
43 | }; | |||
|
|
44 | ||||
| 18 | var is_safe = function (html) { |
|
45 | var is_safe = function (html) { | |
| 19 | // Is the html string safe against JavaScript based attacks. This |
|
46 | // just return bool for whether an HTML string is safe | |
| 20 | // detects 1) black listed tags, 2) blacklisted attributes, 3) all |
|
47 | return sanitize(html).safe; | |
| 21 | // event attributes (onhover, onclick, etc.). |
|
48 | }; | |
| 22 | var black_tags = ['script', 'style', 'meta', 'iframe', 'embed']; |
|
49 | ||
| 23 | var black_attrs = ['style']; |
|
|||
| 24 | var wrapped_html = '<div>'+html+'</div>'; |
|
|||
| 25 | // First try to parse the HTML. All invalid HTML is unsafe. |
|
|||
| 26 | try { |
|
|||
| 27 | var bad_elem = $(wrapped_html); |
|
|||
| 28 | } catch (e) { |
|
|||
| 29 | return false; |
|
|||
| 30 | } |
|
|||
| 31 | var safe = true; |
|
|||
| 32 | // Detect black listed tags |
|
|||
| 33 | $.map(black_tags, function (tag, index) { |
|
|||
| 34 | if (bad_elem.find(tag).length > 0) { |
|
|||
| 35 | safe = false; |
|
|||
| 36 | } |
|
|||
| 37 | }); |
|
|||
| 38 | // Detect black listed attributes |
|
|||
| 39 | $.map(black_attrs, function (attr, index) { |
|
|||
| 40 | if (bad_elem.find('['+attr+']').length > 0) { |
|
|||
| 41 | safe = false; |
|
|||
| 42 | } |
|
|||
| 43 | }); |
|
|||
| 44 | bad_elem.find('*').each(function (index) { |
|
|||
| 45 | $.map(utils.get_attr_names($(this)), function (attr, index) { |
|
|||
| 46 | if (attr.match('^on')) {safe = false;} |
|
|||
| 47 | }); |
|
|||
| 48 | }) |
|
|||
| 49 | return safe; |
|
|||
| 50 | } |
|
|||
| 51 |
|
||||
| 52 | return { |
|
50 | return { | |
| 53 | is_safe: is_safe |
|
51 | is_safe: is_safe, | |
|
|
52 | sanitize: sanitize, | |||
|
|
53 | sanitize_html: sanitize_html | |||
| 54 | }; |
|
54 | }; | |
| 55 |
|
55 | |||
| 56 | }(IPython)); |
|
56 | }(IPython)); | |
| @@ -291,6 +291,7 b' class="notebook_app"' | |||||
| 291 |
|
291 | |||
| 292 | {{super()}} |
|
292 | {{super()}} | |
| 293 |
|
293 | |||
|
|
294 | <script src="{{ static_url("components/google-caja/google-caja/html-css-sanitizer-minified.js") }}" charset="utf-8"></script> | |||
| 294 | <script src="{{ static_url("components/codemirror/lib/codemirror.js") }}" charset="utf-8"></script> |
|
295 | <script src="{{ static_url("components/codemirror/lib/codemirror.js") }}" charset="utf-8"></script> | |
| 295 | <script type="text/javascript"> |
|
296 | <script type="text/javascript"> | |
| 296 | CodeMirror.modeURL = "{{ static_url("components/codemirror/mode/%N/%N.js", include_version=False) }}"; |
|
297 | CodeMirror.modeURL = "{{ static_url("components/codemirror/mode/%N/%N.js", include_version=False) }}"; | |
General Comments 0
You need to be logged in to leave comments.
Login now