##// END OF EJS Templates
use google-caja for sanitization
MinRK -
Show More
@@ -14,43 +14,43 b' IPython.security = (function (IPython) {'
14 "use strict";
14 "use strict";
15
15
16 var utils = IPython.utils;
16 var utils = IPython.utils;
17
17
18 var noop = function (x) { return x; };
19
20 var sanitize = function (html, log) {
21 // sanitize HTML
22 // returns a struct of
23 // {
24 // src: original_html,
25 // sanitized: the_sanitized_html,
26 // safe: bool // false if the sanitizer made any changes
27 // }
28 var result = {
29 src : html,
30 safe : true
31 };
32 var record_messages = function (msg, opts) {
33 console.log("HTML Sanitizer", msg, opts);
34 result.safe = false;
35 };
36 result.sanitized = window.html_sanitize(html, noop, noop, record_messages);
37 return result;
38 };
39
40 var sanitize_html = function (html) {
41 // shorthand for str-to-str conversion, dropping the struct
42 return sanitize(html).sanitized;
43 };
44
18 var is_safe = function (html) {
45 var is_safe = function (html) {
19 // Is the html string safe against JavaScript based attacks. This
46 // just return bool for whether an HTML string is safe
20 // detects 1) black listed tags, 2) blacklisted attributes, 3) all
47 return sanitize(html).safe;
21 // event attributes (onhover, onclick, etc.).
48 };
22 var black_tags = ['script', 'style', 'meta', 'iframe', 'embed'];
49
23 var black_attrs = ['style'];
24 var wrapped_html = '<div>'+html+'</div>';
25 // First try to parse the HTML. All invalid HTML is unsafe.
26 try {
27 var bad_elem = $(wrapped_html);
28 } catch (e) {
29 return false;
30 }
31 var safe = true;
32 // Detect black listed tags
33 $.map(black_tags, function (tag, index) {
34 if (bad_elem.find(tag).length > 0) {
35 safe = false;
36 }
37 });
38 // Detect black listed attributes
39 $.map(black_attrs, function (attr, index) {
40 if (bad_elem.find('['+attr+']').length > 0) {
41 safe = false;
42 }
43 });
44 bad_elem.find('*').each(function (index) {
45 $.map(utils.get_attr_names($(this)), function (attr, index) {
46 if (attr.match('^on')) {safe = false;}
47 });
48 })
49 return safe;
50 }
51
52 return {
50 return {
53 is_safe: is_safe
51 is_safe: is_safe,
52 sanitize: sanitize,
53 sanitize_html: sanitize_html
54 };
54 };
55
55
56 }(IPython));
56 }(IPython));
@@ -291,6 +291,7 b' class="notebook_app"'
291
291
292 {{super()}}
292 {{super()}}
293
293
294 <script src="{{ static_url("components/google-caja/google-caja/html-css-sanitizer-minified.js") }}" charset="utf-8"></script>
294 <script src="{{ static_url("components/codemirror/lib/codemirror.js") }}" charset="utf-8"></script>
295 <script src="{{ static_url("components/codemirror/lib/codemirror.js") }}" charset="utf-8"></script>
295 <script type="text/javascript">
296 <script type="text/javascript">
296 CodeMirror.modeURL = "{{ static_url("components/codemirror/mode/%N/%N.js", include_version=False) }}";
297 CodeMirror.modeURL = "{{ static_url("components/codemirror/mode/%N/%N.js", include_version=False) }}";
General Comments 0
You need to be logged in to leave comments. Login now