Show More
| @@ -14,43 +14,43 b' IPython.security = (function (IPython) {' | |||
|
|
14 | 14 | "use strict"; |
|
|
15 | 15 | |
|
|
16 | 16 | var utils = IPython.utils; |
|
|
17 | ||
|
|
17 | ||
|
|
18 | var noop = function (x) { return x; }; | |
|
|
19 | ||
|
|
20 | var sanitize = function (html, log) { | |
|
|
21 | // sanitize HTML | |
|
|
22 | // returns a struct of | |
|
|
23 | // { | |
|
|
24 | // src: original_html, | |
|
|
25 | // sanitized: the_sanitized_html, | |
|
|
26 | // safe: bool // false if the sanitizer made any changes | |
|
|
27 | // } | |
|
|
28 | var result = { | |
|
|
29 | src : html, | |
|
|
30 | safe : true | |
|
|
31 | }; | |
|
|
32 | var record_messages = function (msg, opts) { | |
|
|
33 | console.log("HTML Sanitizer", msg, opts); | |
|
|
34 | result.safe = false; | |
|
|
35 | }; | |
|
|
36 | result.sanitized = window.html_sanitize(html, noop, noop, record_messages); | |
|
|
37 | return result; | |
|
|
38 | }; | |
|
|
39 | ||
|
|
40 | var sanitize_html = function (html) { | |
|
|
41 | // shorthand for str-to-str conversion, dropping the struct | |
|
|
42 | return sanitize(html).sanitized; | |
|
|
43 | }; | |
|
|
44 | ||
|
|
18 | 45 | var is_safe = function (html) { |
|
|
19 | // Is the html string safe against JavaScript based attacks. This | |
|
|
20 | // detects 1) black listed tags, 2) blacklisted attributes, 3) all | |
|
|
21 | // event attributes (onhover, onclick, etc.). | |
|
|
22 | var black_tags = ['script', 'style', 'meta', 'iframe', 'embed']; | |
|
|
23 | var black_attrs = ['style']; | |
|
|
24 | var wrapped_html = '<div>'+html+'</div>'; | |
|
|
25 | // First try to parse the HTML. All invalid HTML is unsafe. | |
|
|
26 | try { | |
|
|
27 | var bad_elem = $(wrapped_html); | |
|
|
28 | } catch (e) { | |
|
|
29 | return false; | |
|
|
30 | } | |
|
|
31 | var safe = true; | |
|
|
32 | // Detect black listed tags | |
|
|
33 | $.map(black_tags, function (tag, index) { | |
|
|
34 | if (bad_elem.find(tag).length > 0) { | |
|
|
35 | safe = false; | |
|
|
36 | } | |
|
|
37 | }); | |
|
|
38 | // Detect black listed attributes | |
|
|
39 | $.map(black_attrs, function (attr, index) { | |
|
|
40 | if (bad_elem.find('['+attr+']').length > 0) { | |
|
|
41 | safe = false; | |
|
|
42 | } | |
|
|
43 | }); | |
|
|
44 | bad_elem.find('*').each(function (index) { | |
|
|
45 | $.map(utils.get_attr_names($(this)), function (attr, index) { | |
|
|
46 | if (attr.match('^on')) {safe = false;} | |
|
|
47 | }); | |
|
|
48 | }) | |
|
|
49 | return safe; | |
|
|
50 | } | |
|
|
51 | ||
|
|
46 | // just return bool for whether an HTML string is safe | |
|
|
47 | return sanitize(html).safe; | |
|
|
48 | }; | |
|
|
49 | ||
|
|
52 | 50 | return { |
|
|
53 | is_safe: is_safe | |
|
|
51 | is_safe: is_safe, | |
|
|
52 | sanitize: sanitize, | |
|
|
53 | sanitize_html: sanitize_html | |
|
|
54 | 54 | }; |
|
|
55 | 55 | |
|
|
56 | 56 | }(IPython)); |
| @@ -291,6 +291,7 b' class="notebook_app"' | |||
|
|
291 | 291 | |
|
|
292 | 292 | {{super()}} |
|
|
293 | 293 | |
|
|
294 | <script src="{{ static_url("components/google-caja/google-caja/html-css-sanitizer-minified.js") }}" charset="utf-8"></script> | |
|
|
294 | 295 | <script src="{{ static_url("components/codemirror/lib/codemirror.js") }}" charset="utf-8"></script> |
|
|
295 | 296 | <script type="text/javascript"> |
|
|
296 | 297 | CodeMirror.modeURL = "{{ static_url("components/codemirror/mode/%N/%N.js", include_version=False) }}"; |
General Comments 0
You need to be logged in to leave comments.
Login now