upstream/ipython Commit - r15635:a5ad0cc8

Adding first round of security tests of is_safe.

Brian E. Granger -

r15635:a5ad0cc8

parent child

IPython/html/tests/casperjs/test_cases/security.js

0 created 644 +35 0

			@@ -0,0 +1,35
		1	safe_tests = [
		2	"<p>Hi there</p>",
		3	'<h1 class="foo">Hi There!</h1>',
		4	'<div><span>Hi There</span></div>'
		5	];
		6
		7	unsafe_tests = [
		8	"<script>alert(999);</script>",
		9	'<a onmouseover="alert(999)">999</a>',
		10	'<a onmouseover=alert(999)>999</a>',
		11	'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
		12	'<IMG SRC=# onmouseover="alert(999)">',
		13	'<<SCRIPT>alert(999);//<</SCRIPT>',
		14	'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',
		15	'<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
		16	'<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
		17	'<IFRAME SRC="javascript:alert(999);"></IFRAME>',
		18	'<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
		19	'<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
		20	];
		21
		22	casper.notebook_test(function () {
		23	this.each(safe_tests, function (self, item) {
		24	var is_safe = self.evaluate(function (item) {
		25	return IPython.security.is_safe(item);
		26	}, item);
		27	this.test.assert(is_safe, item);
		28	});
		29	this.each(unsafe_tests, function (self, item) {
		30	var is_safe = self.evaluate(function (item) {
		31	return IPython.security.is_safe(item);
		32	}, item);
		33	this.test.assert(!is_safe, item);
		34	});
		35	}); No newline at end of file

IPython/html/static/base/js/security.js

0 +10 -5

              //----------------------------------------------------------------------------
              //  Copyright (C) 2014  The IPython Development Team
              //
              //  Distributed under the terms of the BSD License.  The full license is in
              //  the file COPYING, distributed as part of this software.
              //----------------------------------------------------------------------------
              //============================================================================
              // Utilities
              //============================================================================
              IPython.namespace('IPython.security');
              IPython.security = (function (IPython) {
                  "use strict";
                  var utils = IPython.utils;
                  var is_safe = function (html) {
                      // Is the html string safe against JavaScript based attacks. This
                      // detects 1) black listed tags, 2) blacklisted attributes, 3) all
                      // event attributes (onhover, onclick, etc.).
-                     var black_tags = ['script', 'style'];
+                     var black_tags = ['script', 'style', 'meta', 'iframe', 'embed'];
                      var black_attrs = ['style'];
                      var wrapped_html = '<div>'+html+'</div>';
-                     var e = $(wrapped_html);
+                     // First try to parse the HTML. All invalid HTML is unsafe.
+                     try {
+                         var bad_elem = $(wrapped_html);
+                     } catch (e) {
+                         return false;
+                     }
                      var safe = true;
                      // Detect black listed tags
                      $.map(black_tags, function (tag, index) {
-                         if (e.find(tag).length > 0) {
+                         if (bad_elem.find(tag).length > 0) {
                              safe = false;
                          }
                      });
                      // Detect black listed attributes
                      $.map(black_attrs, function (attr, index) {
-                         if (e.find('['+attr+']').length > 0) {
+                         if (bad_elem.find('['+attr+']').length > 0) {
                              safe = false;
                          }
                      });
-                     e.find('*').each(function (index) {
+                     bad_elem.find('*').each(function (index) {
                          $.map(utils.get_attr_names($(this)), function (attr, index) {
                              if (attr.match('^on')) {safe = false;}
                          });
                      })
                      return safe;
                  }
                  return {
                      is_safe: is_safe
                  };
              }(IPython));

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages