##// END OF EJS Templates
upstream » ipython
RSS

Clone from https://github.com/ipython/ipython.git

Adding first round of security tests of is_safe.
Brian E. Granger -
Show More
Show file before | Show file after | Hide comments
@@ -0,0 +1,35
1 safe_tests = [
2 "<p>Hi there</p>",
3 '<h1 class="foo">Hi There!</h1>',
4 '<div><span>Hi There</span></div>'
5 ];
6
7 unsafe_tests = [
8 "<script>alert(999);</script>",
9 '<a onmouseover="alert(999)">999</a>',
10 '<a onmouseover=alert(999)>999</a>',
11 '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
12 '<IMG SRC=# onmouseover="alert(999)">',
13 '<<SCRIPT>alert(999);//<</SCRIPT>',
14 '<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',
15 '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
16 '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
17 '<IFRAME SRC="javascript:alert(999);"></IFRAME>',
18 '<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
19 '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
20 ];
21
22 casper.notebook_test(function () {
23 this.each(safe_tests, function (self, item) {
24 var is_safe = self.evaluate(function (item) {
25 return IPython.security.is_safe(item);
26 }, item);
27 this.test.assert(is_safe, item);
28 });
29 this.each(unsafe_tests, function (self, item) {
30 var is_safe = self.evaluate(function (item) {
31 return IPython.security.is_safe(item);
32 }, item);
33 this.test.assert(!is_safe, item);
34 });
35 }); No newline at end of file
Show file before | Show file after | Hide comments
@@ -19,24 +19,29 IPython.security = (function (IPython) {
19 // Is the html string safe against JavaScript based attacks. This
19 // Is the html string safe against JavaScript based attacks. This
20 // detects 1) black listed tags, 2) blacklisted attributes, 3) all
20 // detects 1) black listed tags, 2) blacklisted attributes, 3) all
21 // event attributes (onhover, onclick, etc.).
21 // event attributes (onhover, onclick, etc.).
22 var black_tags = ['script', 'style'];
22 var black_tags = ['script', 'style', 'meta', 'iframe', 'embed'];
23 var black_attrs = ['style'];
23 var black_attrs = ['style'];
24 var wrapped_html = '<div>'+html+'</div>';
24 var wrapped_html = '<div>'+html+'</div>';
25 var e = $(wrapped_html);
25 // First try to parse the HTML. All invalid HTML is unsafe.
26 try {
27 var bad_elem = $(wrapped_html);
28 } catch (e) {
29 return false;
30 }
26 var safe = true;
31 var safe = true;
27 // Detect black listed tags
32 // Detect black listed tags
28 $.map(black_tags, function (tag, index) {
33 $.map(black_tags, function (tag, index) {
29 if (e.find(tag).length > 0) {
34 if (bad_elem.find(tag).length > 0) {
30 safe = false;
35 safe = false;
31 }
36 }
32 });
37 });
33 // Detect black listed attributes
38 // Detect black listed attributes
34 $.map(black_attrs, function (attr, index) {
39 $.map(black_attrs, function (attr, index) {
35 if (e.find('['+attr+']').length > 0) {
40 if (bad_elem.find('['+attr+']').length > 0) {
36 safe = false;
41 safe = false;
37 }
42 }
38 });
43 });
39 e.find('*').each(function (index) {
44 bad_elem.find('*').each(function (index) {
40 $.map(utils.get_attr_names($(this)), function (attr, index) {
45 $.map(utils.get_attr_names($(this)), function (attr, index) {
41 if (attr.match('^on')) {safe = false;}
46 if (attr.match('^on')) {safe = false;}
42 });
47 });
General Comments 0
You need to be logged in to leave comments. Login now