Show More
| @@ -66,21 +66,12 IPython.security = (function (IPython) { | |||||
| 66 | return h.html(); |
|
66 | return h.html(); | |
| 67 | }; |
|
67 | }; | |
| 68 |
|
68 | |||
| 69 | var sanitize = function (html, allow_css) { |
|
69 | var sanitize_html = function (html, allow_css) { | |
| 70 | // sanitize HTML |
|
70 | // sanitize HTML | |
| 71 | // if allow_css is true (default), CSS is sanitized as well. |
|
71 | // if allow_css is true (default: false), CSS is sanitized as well. | |
| 72 | // otherwise, CSS elements and attributes are simply removed. |
|
72 | // otherwise, CSS elements and attributes are simply removed. | |
| 73 | // returns a struct of |
|
|||
| 74 | // { |
|
|||
| 75 | // src: original_html, |
|
|||
| 76 | // sanitized: the_sanitized_html, |
|
|||
| 77 | // _maybe_safe: bool // false if the sanitizer definitely made changes. |
|
|||
| 78 | // This is an incomplete indication, |
|
|||
| 79 | // only used to indicate whether further verification is necessary. |
|
|||
| 80 | // } |
|
|||
| 81 | var html4 = caja.html4; |
|
73 | var html4 = caja.html4; | |
| 82 |
|
74 | |||
| 83 | if (allow_css === undefined) allow_css = false; |
|
|||
| 84 | if (allow_css) { |
|
75 | if (allow_css) { | |
| 85 | // allow sanitization of style tags, |
|
76 | // allow sanitization of style tags, | |
| 86 | // not just scrubbing |
|
77 | // not just scrubbing | |
| @@ -92,13 +83,8 IPython.security = (function (IPython) { | |||||
| 92 | html4.ATTRIBS.style = html4.atype.SCRIPT; |
|
83 | html4.ATTRIBS.style = html4.atype.SCRIPT; | |
| 93 | } |
|
84 | } | |
| 94 |
|
85 | |||
| 95 | var result = { |
|
|||
| 96 | src : html, |
|
|||
| 97 | _maybe_safe : true |
|
|||
| 98 | }; |
|
|||
| 99 | var record_messages = function (msg, opts) { |
|
86 | var record_messages = function (msg, opts) { | |
| 100 | console.log("HTML Sanitizer", msg, opts); |
|
87 | console.log("HTML Sanitizer", msg, opts); | |
| 101 | result._maybe_safe = false; |
|
|||
| 102 | }; |
|
88 | }; | |
| 103 |
|
89 | |||
| 104 | var policy = function (tagName, attribs) { |
|
90 | var policy = function (tagName, attribs) { | |
| @@ -115,24 +101,18 IPython.security = (function (IPython) { | |||||
| 115 | } |
|
101 | } | |
| 116 | }; |
|
102 | }; | |
| 117 |
|
103 | |||
| 118 |
|
|
104 | var sanitized = caja.sanitizeWithPolicy(html, policy); | |
| 119 |
|
105 | |||
| 120 | if (allow_css) { |
|
106 | if (allow_css) { | |
| 121 | // sanitize style tags as stylesheets |
|
107 | // sanitize style tags as stylesheets | |
| 122 |
|
|
108 | sanitized = sanitize_stylesheets(result.sanitized, policy); | |
| 123 | } |
|
109 | } | |
| 124 |
|
110 | |||
| 125 |
return |
|
111 | return sanitized; | |
| 126 | }; |
|
|||
| 127 |
|
||||
| 128 | var sanitize_html = function (html) { |
|
|||
| 129 | // shorthand for str-to-str conversion, dropping the struct |
|
|||
| 130 | return sanitize(html).sanitized; |
|
|||
| 131 | }; |
|
112 | }; | |
| 132 |
|
113 | |||
| 133 | return { |
|
114 | return { | |
| 134 | caja: caja, |
|
115 | caja: caja, | |
| 135 | sanitize: sanitize, |
|
|||
| 136 | sanitize_html: sanitize_html |
|
116 | sanitize_html: sanitize_html | |
| 137 | }; |
|
117 | }; | |
| 138 |
|
118 | |||
General Comments 0
You need to be logged in to leave comments.
Login now