##// END OF EJS Templates
upstream » ipython
RSS

Clone from https://github.com/ipython/ipython.git

Audit .html() calls take #2
Jonathan Frederic -
Show More
Show file before | Show file after | Hide comments
@@ -473,6 +473,7 b' var IPython = (function (IPython) {'
473 }
473 }
474 this.input_prompt_number = number;
474 this.input_prompt_number = number;
475 var prompt_html = CodeCell.input_prompt_function(this.input_prompt_number, nline);
475 var prompt_html = CodeCell.input_prompt_function(this.input_prompt_number, nline);
476 // This HTML call is okay because the user contents are escaped.
476 this.element.find('div.input_prompt').html(prompt_html);
477 this.element.find('div.input_prompt').html(prompt_html);
477 };
478 };
478
479
Show file before | Show file after | Hide comments
@@ -343,7 +343,8 b' var IPython = (function (IPython) {'
343 // Insert the subarea into the iframe
343 // Insert the subarea into the iframe
344 // We must directly write the html. When using Jquery's append
344 // We must directly write the html. When using Jquery's append
345 // method, javascript is evaluated in the parent document and
345 // method, javascript is evaluated in the parent document and
346 // not in the iframe document.
346 // not in the iframe document. At this point, subarea doesn't
347 // contain any user content.
347 this.contentDocument.write(subarea.html());
348 this.contentDocument.write(subarea.html());
348
349
349 this.contentDocument.close();
350 this.contentDocument.close();
@@ -370,12 +371,10 b' var IPython = (function (IPython) {'
370 // display a message when a javascript error occurs in display output
371 // display a message when a javascript error occurs in display output
371 var msg = "Javascript error adding output!"
372 var msg = "Javascript error adding output!"
372 if ( element === undefined ) return;
373 if ( element === undefined ) return;
373 element.append(
374 element
374 $('<div/>').html(msg + "<br/>" +
375 .append($('<div/>').text(msg).addClass('js-error'))
375 err.toString() +
376 .append($('<div/>').text(err.toString()).addClass('js-error'))
376 '<br/>See your browser Javascript console for more details.'
377 .append($('<div/>').text('See your browser Javascript console for more details.').addClass('js-error'));
377 ).addClass('js-error')
378 );
379 };
378 };
380
379
381 OutputArea.prototype._safe_append = function (toinsert) {
380 OutputArea.prototype._safe_append = function (toinsert) {
@@ -447,6 +446,8 b' var IPython = (function (IPython) {'
447 var pre = this.element.find('div.'+subclass).last().find('pre');
446 var pre = this.element.find('div.'+subclass).last().find('pre');
448 var html = utils.fixCarriageReturn(
447 var html = utils.fixCarriageReturn(
449 pre.html() + utils.fixConsole(text));
448 pre.html() + utils.fixConsole(text));
449 // The only user content injected with with this HTML call is
450 // escaped by the fixConsole() method.
450 pre.html(html);
451 pre.html(html);
451 return;
452 return;
452 }
453 }
@@ -548,6 +549,8 b' var IPython = (function (IPython) {'
548 if (extra_class){
549 if (extra_class){
549 toinsert.addClass(extra_class);
550 toinsert.addClass(extra_class);
550 }
551 }
552 // The only user content injected with with this HTML call is
553 // escaped by the fixConsole() method.
551 toinsert.append($("<pre/>").html(data));
554 toinsert.append($("<pre/>").html(data));
552 element.append(toinsert);
555 element.append(toinsert);
553 return toinsert;
556 return toinsert;
Show file before | Show file after | Hide comments
@@ -164,6 +164,8 b' var IPython = (function (IPython) {'
164 }
164 }
165
165
166 Pager.prototype.append_text = function (text) {
166 Pager.prototype.append_text = function (text) {
167 // The only user content injected with with this HTML call is escaped by
168 // the fixConsole() method.
167 this.pager_element.find(".container").append($('<pre/>').html(utils.fixCarriageReturn(utils.fixConsole(text))));
169 this.pager_element.find(".container").append($('<pre/>').html(utils.fixCarriageReturn(utils.fixConsole(text))));
168 };
170 };
169
171
Show file before | Show file after | Hide comments
@@ -245,7 +245,7 b' var IPython = (function (IPython) {'
245 * @method set_rendered
245 * @method set_rendered
246 */
246 */
247 TextCell.prototype.set_rendered = function(text) {
247 TextCell.prototype.set_rendered = function(text) {
248 this.element.find('div.text_cell_render').html(text);
248 this.element.find('div.text_cell_render').text(text);
249 };
249 };
250
250
251 /**
251 /**
@@ -350,15 +350,20 b' var IPython = (function (IPython) {'
350 math = text_and_math[1];
350 math = text_and_math[1];
351 var html = marked.parser(marked.lexer(text));
351 var html = marked.parser(marked.lexer(text));
352 html = $(IPython.mathjaxutils.replace_math(html, math));
352 html = $(IPython.mathjaxutils.replace_math(html, math));
353 // links in markdown cells should open in new tabs
353 // Links in markdown cells should open in new tabs.
354 html.find("a[href]").not('[href^="#"]').attr("target", "_blank");
354 html.find("a[href]").not('[href^="#"]').attr("target", "_blank");
355 try {
355 try {
356 this.set_rendered(html);
356 // TODO: This HTML needs to be treated as potentially dangerous
357 // user input.
358 rendered.html(html);
357 } catch (e) {
359 } catch (e) {
358 console.log("Error running Javascript in Markdown:");
360 console.log("Error running Javascript in Markdown:");
359 console.log(e);
361 console.log(e);
360 this.set_rendered($("<div/>").addClass("js-error").html(
362 rendered.empty();
361 "Error rendering Markdown!<br/>" + e.toString())
363 rendered.append(
364 $("<div/>")
365 .append($("<div/>").text('Error rendering Markdown!').addClass("js-error"))
366 .append($("<div/>").text(e.toString()).addClass("js-error"))
362 );
367 );
363 }
368 }
364 this.element.find('div.text_cell_input').hide();
369 this.element.find('div.text_cell_input').hide();
@@ -504,11 +509,6 b' var IPython = (function (IPython) {'
504 };
509 };
505
510
506
511
507 HeadingCell.prototype.set_rendered = function (html) {
508 this.element.find("div.text_cell_render").html(html);
509 };
510
511
512 HeadingCell.prototype.get_rendered = function () {
512 HeadingCell.prototype.get_rendered = function () {
513 var r = this.element.find("div.text_cell_render");
513 var r = this.element.find("div.text_cell_render");
514 return r.children().first().html();
514 return r.children().first().html();
@@ -538,11 +538,13 b' var IPython = (function (IPython) {'
538 .attr('href', '#' + hash)
538 .attr('href', '#' + hash)
539 .text('¶')
539 .text('¶')
540 );
540 );
541
541 // TODO: This HTML needs to be treated as potentially dangerous
542 this.set_rendered(h);
542 // user input.
543 var rendered = this.element.find("div.text_cell_render");
544 rendered.html(h);
543 this.typeset();
545 this.typeset();
544 this.element.find('div.text_cell_input').hide();
546 this.element.find('div.text_cell_input').hide();
545 this.element.find("div.text_cell_render").show();
547 rendered.show();
546
548
547 };
549 };
548 return cont;
550 return cont;
Show file before | Show file after | Hide comments
@@ -369,6 +369,7 b' var IPython = (function (IPython) {'
369 this._hidden = false;
369 this._hidden = false;
370 this.text.children().remove();
370 this.text.children().remove();
371
371
372 // Any HTML within the docstring is escaped by the fixConsole() method.
372 var pre = $('<pre/>').html(utils.fixConsole(docstring));
373 var pre = $('<pre/>').html(utils.fixConsole(docstring));
373 if (defstring) {
374 if (defstring) {
374 var defstring_html = $('<pre/>').html(utils.fixConsole(defstring));
375 var defstring_html = $('<pre/>').html(utils.fixConsole(defstring));
General Comments 0
You need to be logged in to leave comments. Login now