Show More
@@ -0,0 +1,35 | |||||
|
1 | safe_tests = [ | |||
|
2 | "<p>Hi there</p>", | |||
|
3 | '<h1 class="foo">Hi There!</h1>', | |||
|
4 | '<div><span>Hi There</span></div>' | |||
|
5 | ]; | |||
|
6 | ||||
|
7 | unsafe_tests = [ | |||
|
8 | "<script>alert(999);</script>", | |||
|
9 | '<a onmouseover="alert(999)">999</a>', | |||
|
10 | '<a onmouseover=alert(999)>999</a>', | |||
|
11 | '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">', | |||
|
12 | '<IMG SRC=# onmouseover="alert(999)">', | |||
|
13 | '<<SCRIPT>alert(999);//<</SCRIPT>', | |||
|
14 | '<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >', | |||
|
15 | '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">', | |||
|
16 | '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">', | |||
|
17 | '<IFRAME SRC="javascript:alert(999);"></IFRAME>', | |||
|
18 | '<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>', | |||
|
19 | '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>', | |||
|
20 | ]; | |||
|
21 | ||||
|
22 | casper.notebook_test(function () { | |||
|
23 | this.each(safe_tests, function (self, item) { | |||
|
24 | var is_safe = self.evaluate(function (item) { | |||
|
25 | return IPython.security.is_safe(item); | |||
|
26 | }, item); | |||
|
27 | this.test.assert(is_safe, item); | |||
|
28 | }); | |||
|
29 | this.each(unsafe_tests, function (self, item) { | |||
|
30 | var is_safe = self.evaluate(function (item) { | |||
|
31 | return IPython.security.is_safe(item); | |||
|
32 | }, item); | |||
|
33 | this.test.assert(!is_safe, item); | |||
|
34 | }); | |||
|
35 | }); No newline at end of file |
@@ -1,52 +1,57 | |||||
1 | //---------------------------------------------------------------------------- |
|
1 | //---------------------------------------------------------------------------- | |
2 | // Copyright (C) 2014 The IPython Development Team |
|
2 | // Copyright (C) 2014 The IPython Development Team | |
3 | // |
|
3 | // | |
4 | // Distributed under the terms of the BSD License. The full license is in |
|
4 | // Distributed under the terms of the BSD License. The full license is in | |
5 | // the file COPYING, distributed as part of this software. |
|
5 | // the file COPYING, distributed as part of this software. | |
6 | //---------------------------------------------------------------------------- |
|
6 | //---------------------------------------------------------------------------- | |
7 |
|
7 | |||
8 | //============================================================================ |
|
8 | //============================================================================ | |
9 | // Utilities |
|
9 | // Utilities | |
10 | //============================================================================ |
|
10 | //============================================================================ | |
11 | IPython.namespace('IPython.security'); |
|
11 | IPython.namespace('IPython.security'); | |
12 |
|
12 | |||
13 | IPython.security = (function (IPython) { |
|
13 | IPython.security = (function (IPython) { | |
14 | "use strict"; |
|
14 | "use strict"; | |
15 |
|
15 | |||
16 | var utils = IPython.utils; |
|
16 | var utils = IPython.utils; | |
17 |
|
17 | |||
18 | var is_safe = function (html) { |
|
18 | var is_safe = function (html) { | |
19 | // Is the html string safe against JavaScript based attacks. This |
|
19 | // Is the html string safe against JavaScript based attacks. This | |
20 | // detects 1) black listed tags, 2) blacklisted attributes, 3) all |
|
20 | // detects 1) black listed tags, 2) blacklisted attributes, 3) all | |
21 | // event attributes (onhover, onclick, etc.). |
|
21 | // event attributes (onhover, onclick, etc.). | |
22 | var black_tags = ['script', 'style']; |
|
22 | var black_tags = ['script', 'style', 'meta', 'iframe', 'embed']; | |
23 | var black_attrs = ['style']; |
|
23 | var black_attrs = ['style']; | |
24 | var wrapped_html = '<div>'+html+'</div>'; |
|
24 | var wrapped_html = '<div>'+html+'</div>'; | |
25 | var e = $(wrapped_html); |
|
25 | // First try to parse the HTML. All invalid HTML is unsafe. | |
|
26 | try { | |||
|
27 | var bad_elem = $(wrapped_html); | |||
|
28 | } catch (e) { | |||
|
29 | return false; | |||
|
30 | } | |||
26 | var safe = true; |
|
31 | var safe = true; | |
27 | // Detect black listed tags |
|
32 | // Detect black listed tags | |
28 | $.map(black_tags, function (tag, index) { |
|
33 | $.map(black_tags, function (tag, index) { | |
29 | if (e.find(tag).length > 0) { |
|
34 | if (bad_elem.find(tag).length > 0) { | |
30 | safe = false; |
|
35 | safe = false; | |
31 | } |
|
36 | } | |
32 | }); |
|
37 | }); | |
33 | // Detect black listed attributes |
|
38 | // Detect black listed attributes | |
34 | $.map(black_attrs, function (attr, index) { |
|
39 | $.map(black_attrs, function (attr, index) { | |
35 | if (e.find('['+attr+']').length > 0) { |
|
40 | if (bad_elem.find('['+attr+']').length > 0) { | |
36 | safe = false; |
|
41 | safe = false; | |
37 | } |
|
42 | } | |
38 | }); |
|
43 | }); | |
39 | e.find('*').each(function (index) { |
|
44 | bad_elem.find('*').each(function (index) { | |
40 | $.map(utils.get_attr_names($(this)), function (attr, index) { |
|
45 | $.map(utils.get_attr_names($(this)), function (attr, index) { | |
41 | if (attr.match('^on')) {safe = false;} |
|
46 | if (attr.match('^on')) {safe = false;} | |
42 | }); |
|
47 | }); | |
43 | }) |
|
48 | }) | |
44 | return safe; |
|
49 | return safe; | |
45 | } |
|
50 | } | |
46 |
|
51 | |||
47 | return { |
|
52 | return { | |
48 | is_safe: is_safe |
|
53 | is_safe: is_safe | |
49 | }; |
|
54 | }; | |
50 |
|
55 | |||
51 | }(IPython)); |
|
56 | }(IPython)); | |
52 |
|
57 |
General Comments 0
You need to be logged in to leave comments.
Login now