upstream/ipython Commit - r15639:50c170b5

1

//----------------------------------------------------------------------------

1

//----------------------------------------------------------------------------

2

3

//

3

//

4

// Distributed under the terms of the BSD License. The full license is in

4

// Distributed under the terms of the BSD License. The full license is in

5

// the file COPYING, distributed as part of this software.

5

// the file COPYING, distributed as part of this software.

6

//----------------------------------------------------------------------------

6

//----------------------------------------------------------------------------

7

8

//============================================================================

8

//============================================================================

9

// Utilities

9

// Utilities

10

//============================================================================

10

//============================================================================

11

IPython.namespace('IPython.security');

11

IPython.namespace('IPython.security');

12

13

IPython.security = (function (IPython) {

13

IPython.security = (function (IPython) {

14

"use strict";

14

"use strict";

15

16

var utils = IPython.utils;

16

var utils = IPython.utils;

17

18

var noop = function (x) { return x; };

18

var noop = function (x) { return x; };

19

20

var cmp_tree = function (a, b) {

21

// compare two HTML trees

22

// only checks the tag structure is preserved,

23

// not any attributes or contents

24

if (a.length !== b.length) {

25

return false;

26

}

27

28

for (var i = a.length - 1; i >= 0; i--) {

29

if (a[i].tagName && b[i].tagName && a[i].tagName.toLowerCase() != b[i].tagName.toLowerCase()) {

30

return false;

31

}

32

}

33

var ac = a.children();

34

var bc = b.children();

35

if (ac.length === 0 && bc.length === 0) {

36

return true;

37

}

38

return cmp_tree(ac, bc);

39

};

40

20

var sanitize = function (html, log) {

41

var sanitize = function (html, log) {

21

// sanitize HTML

42

// sanitize HTML

22

// returns a struct of

43

// returns a struct of

23

// {

44

// {

24

// src: original_html,

45

// src: original_html,

25

// sanitized: the_sanitized_html,

46

// sanitized: the_sanitized_html,

26

// safe: bool // false if the sanitizer made any changes

47

// safe: bool // false if the sanitizer made any changes

27

// }

48

// }

28

var result = {

49

var result = {

29

src : html,

50

src : html,

30

safe : true

51

safe : true

31

};

52

};

32

var record_messages = function (msg, opts) {

53

var record_messages = function (msg, opts) {

33

console.log("HTML Sanitizer", msg, opts);

54

console.log("HTML Sanitizer", msg, opts);

34

result.safe = false;

55

result.safe = false;

35

};

56

};

36

result.sanitized = window.html_sanitize(html, noop, noop, record_messages);

57

result.sanitized = window.html_sanitize(html, noop, noop, record_messages);

58

// caja can strip whole elements without logging,

59

// so double-check that node structure didn't change

60

if (result.safe) {

61

result.safe = cmp_tree($(result.sanitized), $(result.src));

62

}

37

return result;

63

return result;

38

};

64

};

39

65

40

var sanitize_html = function (html) {

66

var sanitize_html = function (html) {

41

// shorthand for str-to-str conversion, dropping the struct

67

// shorthand for str-to-str conversion, dropping the struct

42

return sanitize(html).sanitized;

68

return sanitize(html).sanitized;

43

};

69

};

44

70

45

var is_safe = function (html) {

71

var is_safe = function (html) {

46

// just return bool for whether an HTML string is safe

72

// just return bool for whether an HTML string is safe

47

return sanitize(html).safe;

73

return sanitize(html).safe;

48

};

74

};

49

75

50

return {

76

return {

51

is_safe: is_safe,

77

is_safe: is_safe,

52

sanitize: sanitize,

78

sanitize: sanitize,

53

sanitize_html: sanitize_html

79

sanitize_html: sanitize_html

54

};

80

};

55

81

56

}(IPython));

82

}(IPython));

57

83

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             //----------------------------------------------------------------------------
             //  Copyright (C) 2014  The IPython Development Team
             //
             //  Distributed under the terms of the BSD License.  The full license is in
             //  the file COPYING, distributed as part of this software.
             //----------------------------------------------------------------------------
             //============================================================================
             // Utilities
             //============================================================================
             IPython.namespace('IPython.security');
             IPython.security = (function (IPython) {
                 "use strict";
                 var utils = IPython.utils;
                 var noop = function (x) { return x; };
+                var cmp_tree = function (a, b) {
+                    // compare two HTML trees
+                    // only checks the tag structure is preserved,
+                    // not any attributes or contents
+                    if (a.length !== b.length) {
+                        return false;
+                    }
+                    for (var i = a.length - 1; i >= 0; i--) {
+                        if (a[i].tagName && b[i].tagName && a[i].tagName.toLowerCase() != b[i].tagName.toLowerCase()) {
+                            return false;
+                        }
+                    }
+                    var ac = a.children();
+                    var bc = b.children();
+                    if (ac.length === 0 && bc.length === 0) {
+                        return true;
+                    }
+                    return cmp_tree(ac, bc);
+                };
                 var sanitize = function (html, log) {
                     // sanitize HTML
                     // returns a struct of
                     // {
                     //   src: original_html,
                     //   sanitized: the_sanitized_html,
                     //   safe: bool // false if the sanitizer made any changes
                     // }
                     var result = {
                         src : html,
                         safe : true
                     };
                     var record_messages = function (msg, opts) {
                         console.log("HTML Sanitizer", msg, opts);
                         result.safe = false;
                     };
                     result.sanitized = window.html_sanitize(html, noop, noop, record_messages);
+                    // caja can strip whole elements without logging,
+                    // so double-check that node structure didn't change
+                    if (result.safe) {
+                        result.safe = cmp_tree($(result.sanitized), $(result.src));
+                    }
                     return result;
                 };
                 var sanitize_html = function (html) {
                     // shorthand for str-to-str conversion, dropping the struct
                     return sanitize(html).sanitized;
                 };
                 var is_safe = function (html) {
                     // just return bool for whether an HTML string is safe
                     return sanitize(html).safe;
                 };
                 return {
                     is_safe: is_safe,
                     sanitize: sanitize,
                     sanitize_html: sanitize_html
                 };
             }(IPython));