Show More
@@ -1,57 +1,83 b'' | |||||
1 | //---------------------------------------------------------------------------- |
|
1 | //---------------------------------------------------------------------------- | |
2 | // Copyright (C) 2014 The IPython Development Team |
|
2 | // Copyright (C) 2014 The IPython Development Team | |
3 | // |
|
3 | // | |
4 | // Distributed under the terms of the BSD License. The full license is in |
|
4 | // Distributed under the terms of the BSD License. The full license is in | |
5 | // the file COPYING, distributed as part of this software. |
|
5 | // the file COPYING, distributed as part of this software. | |
6 | //---------------------------------------------------------------------------- |
|
6 | //---------------------------------------------------------------------------- | |
7 |
|
7 | |||
8 | //============================================================================ |
|
8 | //============================================================================ | |
9 | // Utilities |
|
9 | // Utilities | |
10 | //============================================================================ |
|
10 | //============================================================================ | |
11 | IPython.namespace('IPython.security'); |
|
11 | IPython.namespace('IPython.security'); | |
12 |
|
12 | |||
13 | IPython.security = (function (IPython) { |
|
13 | IPython.security = (function (IPython) { | |
14 | "use strict"; |
|
14 | "use strict"; | |
15 |
|
15 | |||
16 | var utils = IPython.utils; |
|
16 | var utils = IPython.utils; | |
17 |
|
17 | |||
18 | var noop = function (x) { return x; }; |
|
18 | var noop = function (x) { return x; }; | |
19 |
|
19 | |||
|
20 | var cmp_tree = function (a, b) { | |||
|
21 | // compare two HTML trees | |||
|
22 | // only checks the tag structure is preserved, | |||
|
23 | // not any attributes or contents | |||
|
24 | if (a.length !== b.length) { | |||
|
25 | return false; | |||
|
26 | } | |||
|
27 | ||||
|
28 | for (var i = a.length - 1; i >= 0; i--) { | |||
|
29 | if (a[i].tagName && b[i].tagName && a[i].tagName.toLowerCase() != b[i].tagName.toLowerCase()) { | |||
|
30 | return false; | |||
|
31 | } | |||
|
32 | } | |||
|
33 | var ac = a.children(); | |||
|
34 | var bc = b.children(); | |||
|
35 | if (ac.length === 0 && bc.length === 0) { | |||
|
36 | return true; | |||
|
37 | } | |||
|
38 | return cmp_tree(ac, bc); | |||
|
39 | }; | |||
|
40 | ||||
20 | var sanitize = function (html, log) { |
|
41 | var sanitize = function (html, log) { | |
21 | // sanitize HTML |
|
42 | // sanitize HTML | |
22 | // returns a struct of |
|
43 | // returns a struct of | |
23 | // { |
|
44 | // { | |
24 | // src: original_html, |
|
45 | // src: original_html, | |
25 | // sanitized: the_sanitized_html, |
|
46 | // sanitized: the_sanitized_html, | |
26 | // safe: bool // false if the sanitizer made any changes |
|
47 | // safe: bool // false if the sanitizer made any changes | |
27 | // } |
|
48 | // } | |
28 | var result = { |
|
49 | var result = { | |
29 | src : html, |
|
50 | src : html, | |
30 | safe : true |
|
51 | safe : true | |
31 | }; |
|
52 | }; | |
32 | var record_messages = function (msg, opts) { |
|
53 | var record_messages = function (msg, opts) { | |
33 | console.log("HTML Sanitizer", msg, opts); |
|
54 | console.log("HTML Sanitizer", msg, opts); | |
34 | result.safe = false; |
|
55 | result.safe = false; | |
35 | }; |
|
56 | }; | |
36 | result.sanitized = window.html_sanitize(html, noop, noop, record_messages); |
|
57 | result.sanitized = window.html_sanitize(html, noop, noop, record_messages); | |
|
58 | // caja can strip whole elements without logging, | |||
|
59 | // so double-check that node structure didn't change | |||
|
60 | if (result.safe) { | |||
|
61 | result.safe = cmp_tree($(result.sanitized), $(result.src)); | |||
|
62 | } | |||
37 | return result; |
|
63 | return result; | |
38 | }; |
|
64 | }; | |
39 |
|
65 | |||
40 | var sanitize_html = function (html) { |
|
66 | var sanitize_html = function (html) { | |
41 | // shorthand for str-to-str conversion, dropping the struct |
|
67 | // shorthand for str-to-str conversion, dropping the struct | |
42 | return sanitize(html).sanitized; |
|
68 | return sanitize(html).sanitized; | |
43 | }; |
|
69 | }; | |
44 |
|
70 | |||
45 | var is_safe = function (html) { |
|
71 | var is_safe = function (html) { | |
46 | // just return bool for whether an HTML string is safe |
|
72 | // just return bool for whether an HTML string is safe | |
47 | return sanitize(html).safe; |
|
73 | return sanitize(html).safe; | |
48 | }; |
|
74 | }; | |
49 |
|
75 | |||
50 | return { |
|
76 | return { | |
51 | is_safe: is_safe, |
|
77 | is_safe: is_safe, | |
52 | sanitize: sanitize, |
|
78 | sanitize: sanitize, | |
53 | sanitize_html: sanitize_html |
|
79 | sanitize_html: sanitize_html | |
54 | }; |
|
80 | }; | |
55 |
|
81 | |||
56 | }(IPython)); |
|
82 | }(IPython)); | |
57 |
|
83 |
General Comments 0
You need to be logged in to leave comments.
Login now