Show More
| @@ -0,0 +1,35 | |||
|
|
1 | safe_tests = [ | |
|
|
2 | "<p>Hi there</p>", | |
|
|
3 | '<h1 class="foo">Hi There!</h1>', | |
|
|
4 | '<div><span>Hi There</span></div>' | |
|
|
5 | ]; | |
|
|
6 | ||
|
|
7 | unsafe_tests = [ | |
|
|
8 | "<script>alert(999);</script>", | |
|
|
9 | '<a onmouseover="alert(999)">999</a>', | |
|
|
10 | '<a onmouseover=alert(999)>999</a>', | |
|
|
11 | '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">', | |
|
|
12 | '<IMG SRC=# onmouseover="alert(999)">', | |
|
|
13 | '<<SCRIPT>alert(999);//<</SCRIPT>', | |
|
|
14 | '<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >', | |
|
|
15 | '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">', | |
|
|
16 | '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">', | |
|
|
17 | '<IFRAME SRC="javascript:alert(999);"></IFRAME>', | |
|
|
18 | '<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>', | |
|
|
19 | '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>', | |
|
|
20 | ]; | |
|
|
21 | ||
|
|
22 | casper.notebook_test(function () { | |
|
|
23 | this.each(safe_tests, function (self, item) { | |
|
|
24 | var is_safe = self.evaluate(function (item) { | |
|
|
25 | return IPython.security.is_safe(item); | |
|
|
26 | }, item); | |
|
|
27 | this.test.assert(is_safe, item); | |
|
|
28 | }); | |
|
|
29 | this.each(unsafe_tests, function (self, item) { | |
|
|
30 | var is_safe = self.evaluate(function (item) { | |
|
|
31 | return IPython.security.is_safe(item); | |
|
|
32 | }, item); | |
|
|
33 | this.test.assert(!is_safe, item); | |
|
|
34 | }); | |
|
|
35 | }); No newline at end of file | |
| @@ -19,24 +19,29 IPython.security = (function (IPython) { | |||
|
|
19 | 19 | // Is the html string safe against JavaScript based attacks. This |
|
|
20 | 20 | // detects 1) black listed tags, 2) blacklisted attributes, 3) all |
|
|
21 | 21 | // event attributes (onhover, onclick, etc.). |
|
|
22 | var black_tags = ['script', 'style']; | |
|
|
22 | var black_tags = ['script', 'style', 'meta', 'iframe', 'embed']; | |
|
|
23 | 23 | var black_attrs = ['style']; |
|
|
24 | 24 | var wrapped_html = '<div>'+html+'</div>'; |
|
|
25 | var e = $(wrapped_html); | |
|
|
25 | // First try to parse the HTML. All invalid HTML is unsafe. | |
|
|
26 | try { | |
|
|
27 | var bad_elem = $(wrapped_html); | |
|
|
28 | } catch (e) { | |
|
|
29 | return false; | |
|
|
30 | } | |
|
|
26 | 31 | var safe = true; |
|
|
27 | 32 | // Detect black listed tags |
|
|
28 | 33 | $.map(black_tags, function (tag, index) { |
|
|
29 | if (e.find(tag).length > 0) { | |
|
|
34 | if (bad_elem.find(tag).length > 0) { | |
|
|
30 | 35 | safe = false; |
|
|
31 | 36 | } |
|
|
32 | 37 | }); |
|
|
33 | 38 | // Detect black listed attributes |
|
|
34 | 39 | $.map(black_attrs, function (attr, index) { |
|
|
35 | if (e.find('['+attr+']').length > 0) { | |
|
|
40 | if (bad_elem.find('['+attr+']').length > 0) { | |
|
|
36 | 41 | safe = false; |
|
|
37 | 42 | } |
|
|
38 | 43 | }); |
|
|
39 | e.find('*').each(function (index) { | |
|
|
44 | bad_elem.find('*').each(function (index) { | |
|
|
40 | 45 | $.map(utils.get_attr_names($(this)), function (attr, index) { |
|
|
41 | 46 | if (attr.match('^on')) {safe = false;} |
|
|
42 | 47 | }); |
General Comments 0
You need to be logged in to leave comments.
Login now