##// END OF EJS Templates
upstream » ipython
RSS

Clone from https://github.com/ipython/ipython.git

wrap caja.sanitizeAttribs to trust data-* attributes
MinRK -
Show More
Show file before | Show file after | Hide comments
@@ -38,6 +38,27 IPython.security = (function (IPython) {
38 38 return cmp_tree(ac, bc);
39 39 };
40 40
41 var caja;
42 if (window && window.html) {
43 caja = window.html;
44 caja.html4 = window.html4;
45 }
46
47 var sanitizeAttribs = function (tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) {
48 // wrap sanitizeAttribs into trusting data-attributes
49 var ATTRIBS = caja.html4.ATTRIBS;
50 for (var i = 0; i < attribs.length; i += 2) {
51 var attribName = attribs[i];
52 if (attribName.substr(0,5) == 'data-') {
53 var attribKey = '*::' + attribName;
54 if (!ATTRIBS.hasOwnProperty(attribKey)) {
55 ATTRIBS[attribKey] = 0;
56 }
57 }
58 }
59 return caja.sanitizeAttribs(tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger);
60 };
61
41 62 var sanitize = function (html, log) {
42 63 // sanitize HTML
43 64 // returns a struct of
@@ -54,7 +75,23 IPython.security = (function (IPython) {
54 75 console.log("HTML Sanitizer", msg, opts);
55 76 result.safe = false;
56 77 };
57 result.sanitized = window.html_sanitize(html, noop, noop, record_messages);
78
79 var html4 = caja.html4;
80 var policy = function (tagName, attribs) {
81 if (!(html4.ELEMENTS[tagName] & html4.eflags.UNSAFE)) {
82 return {
83 'attribs': sanitizeAttribs(tagName, attribs,
84 noop, noop, record_messages)
85 };
86 } else {
87 record_messages(tagName + " removed", {
88 change: "removed",
89 tagName: tagName
90 });
91 }
92 };
93
94 result.sanitized = caja.sanitizeWithPolicy(html, policy);
58 95 // caja can strip whole elements without logging,
59 96 // so double-check that node structure didn't change
60 97 if (result.safe) {
General Comments 0
You need to be logged in to leave comments. Login now