##// END OF EJS Templates
upstream » ipython
RSS

Clone from https://github.com/ipython/ipython.git

Audit .html() calls take #2
Jonathan Frederic -
Show More
Show file before | Show file after | Hide comments
@@ -473,6 +473,7 b' var IPython = (function (IPython) {'
473 473 }
474 474 this.input_prompt_number = number;
475 475 var prompt_html = CodeCell.input_prompt_function(this.input_prompt_number, nline);
476 // This HTML call is okay because the user contents are escaped.
476 477 this.element.find('div.input_prompt').html(prompt_html);
477 478 };
478 479
Show file before | Show file after | Hide comments
@@ -343,7 +343,8 b' var IPython = (function (IPython) {'
343 343 // Insert the subarea into the iframe
344 344 // We must directly write the html. When using Jquery's append
345 345 // method, javascript is evaluated in the parent document and
346 // not in the iframe document.
346 // not in the iframe document. At this point, subarea doesn't
347 // contain any user content.
347 348 this.contentDocument.write(subarea.html());
348 349
349 350 this.contentDocument.close();
@@ -370,12 +371,10 b' var IPython = (function (IPython) {'
370 371 // display a message when a javascript error occurs in display output
371 372 var msg = "Javascript error adding output!"
372 373 if ( element === undefined ) return;
373 element.append(
374 $('<div/>').html(msg + "<br/>" +
375 err.toString() +
376 '<br/>See your browser Javascript console for more details.'
377 ).addClass('js-error')
378 );
374 element
375 .append($('<div/>').text(msg).addClass('js-error'))
376 .append($('<div/>').text(err.toString()).addClass('js-error'))
377 .append($('<div/>').text('See your browser Javascript console for more details.').addClass('js-error'));
379 378 };
380 379
381 380 OutputArea.prototype._safe_append = function (toinsert) {
@@ -447,6 +446,8 b' var IPython = (function (IPython) {'
447 446 var pre = this.element.find('div.'+subclass).last().find('pre');
448 447 var html = utils.fixCarriageReturn(
449 448 pre.html() + utils.fixConsole(text));
449 // The only user content injected with with this HTML call is
450 // escaped by the fixConsole() method.
450 451 pre.html(html);
451 452 return;
452 453 }
@@ -548,6 +549,8 b' var IPython = (function (IPython) {'
548 549 if (extra_class){
549 550 toinsert.addClass(extra_class);
550 551 }
552 // The only user content injected with with this HTML call is
553 // escaped by the fixConsole() method.
551 554 toinsert.append($("<pre/>").html(data));
552 555 element.append(toinsert);
553 556 return toinsert;
Show file before | Show file after | Hide comments
@@ -164,6 +164,8 b' var IPython = (function (IPython) {'
164 164 }
165 165
166 166 Pager.prototype.append_text = function (text) {
167 // The only user content injected with with this HTML call is escaped by
168 // the fixConsole() method.
167 169 this.pager_element.find(".container").append($('<pre/>').html(utils.fixCarriageReturn(utils.fixConsole(text))));
168 170 };
169 171
Show file before | Show file after | Hide comments
@@ -245,7 +245,7 b' var IPython = (function (IPython) {'
245 245 * @method set_rendered
246 246 */
247 247 TextCell.prototype.set_rendered = function(text) {
248 this.element.find('div.text_cell_render').html(text);
248 this.element.find('div.text_cell_render').text(text);
249 249 };
250 250
251 251 /**
@@ -350,15 +350,20 b' var IPython = (function (IPython) {'
350 350 math = text_and_math[1];
351 351 var html = marked.parser(marked.lexer(text));
352 352 html = $(IPython.mathjaxutils.replace_math(html, math));
353 // links in markdown cells should open in new tabs
353 // Links in markdown cells should open in new tabs.
354 354 html.find("a[href]").not('[href^="#"]').attr("target", "_blank");
355 355 try {
356 this.set_rendered(html);
356 // TODO: This HTML needs to be treated as potentially dangerous
357 // user input.
358 rendered.html(html);
357 359 } catch (e) {
358 360 console.log("Error running Javascript in Markdown:");
359 361 console.log(e);
360 this.set_rendered($("<div/>").addClass("js-error").html(
361 "Error rendering Markdown!<br/>" + e.toString())
362 rendered.empty();
363 rendered.append(
364 $("<div/>")
365 .append($("<div/>").text('Error rendering Markdown!').addClass("js-error"))
366 .append($("<div/>").text(e.toString()).addClass("js-error"))
362 367 );
363 368 }
364 369 this.element.find('div.text_cell_input').hide();
@@ -504,11 +509,6 b' var IPython = (function (IPython) {'
504 509 };
505 510
506 511
507 HeadingCell.prototype.set_rendered = function (html) {
508 this.element.find("div.text_cell_render").html(html);
509 };
510
511
512 512 HeadingCell.prototype.get_rendered = function () {
513 513 var r = this.element.find("div.text_cell_render");
514 514 return r.children().first().html();
@@ -538,11 +538,13 b' var IPython = (function (IPython) {'
538 538 .attr('href', '#' + hash)
539 539 .text('¶')
540 540 );
541
542 this.set_rendered(h);
541 // TODO: This HTML needs to be treated as potentially dangerous
542 // user input.
543 var rendered = this.element.find("div.text_cell_render");
544 rendered.html(h);
543 545 this.typeset();
544 546 this.element.find('div.text_cell_input').hide();
545 this.element.find("div.text_cell_render").show();
547 rendered.show();
546 548
547 549 };
548 550 return cont;
Show file before | Show file after | Hide comments
@@ -369,6 +369,7 b' var IPython = (function (IPython) {'
369 369 this._hidden = false;
370 370 this.text.children().remove();
371 371
372 // Any HTML within the docstring is escaped by the fixConsole() method.
372 373 var pre = $('<pre/>').html(utils.fixConsole(docstring));
373 374 if (defstring) {
374 375 var defstring_html = $('<pre/>').html(utils.fixConsole(defstring));
General Comments 0
You need to be logged in to leave comments. Login now