upstream/ipython Files · IPython/html/tests/base/security.js

Fix blank slides issue in Reveal slideshow pdf export...

Fix blank slides issue in Reveal slideshow pdf export Applied the bugfix made on the original index.html from reveal.js project into the template : - https://github.com/hakimel/reveal.js/commit/08fb6cb2f96a6d97aaa21c35a925ebb59b0b0070

MinRK - - Load All Authors

File last commit:

r15653:f66c0b63


                r16362:3666f59e

Download file

             security.js
        
                    56 lines
            
             | 2.4 KiB
            
                | application/javascript
            
             |
                JavascriptLexer
            
             / IPython / html / tests / base / security.js
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      safe_tests = [

          "<p>Hi there</p>",

          '<h1 class="foo">Hi There!</h1>',

          '<a data-cite="foo">citation</a>',

          '<div><span>Hi There</span></div>',

      ];

      unsafe_tests = [

          "<script>alert(999);</script>",

          '<a onmouseover="alert(999)">999</a>',

          '<a onmouseover=alert(999)>999</a>',

          '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',

          '<IMG SRC=# onmouseover="alert(999)">',

          '<<SCRIPT>alert(999);//<</SCRIPT>',

          '<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',

          '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',

          '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',

          '<IFRAME SRC="javascript:alert(999);"></IFRAME>',

          '<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',

          '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',

          // CSS is scrubbed

          '<style src="http://untrusted/style.css"></style>',

          '<style>div#notebook { background-color: alert-red; }</style>',

          '<div style="background-color: alert-red;"></div>',

      ];

      var truncate = function (s, n) {

          // truncate a string with an ellipsis

          if (s.length > n) {

              return s.substr(0, n-3) + '...';

          } else {

              return s;

          }

      };

      casper.notebook_test(function () {

          this.each(safe_tests, function (self, item) {

              var sanitized = self.evaluate(function (item) {

                  return IPython.security.sanitize_html(item);

              }, item);

              // string equality may be too strict, but it works for now

              this.test.assertEquals(sanitized, item, "Safe: '" + truncate(item, 32) + "'");

          });

          this.each(unsafe_tests, function (self, item) {

              var sanitized = self.evaluate(function (item) {

                  return IPython.security.sanitize_html(item);

              }, item);

              this.test.assertNotEquals(sanitized, item, 

                  "Sanitized: '" + truncate(item, 32) + 

                  "' => '" + truncate(sanitized, 32) + "'"

              );

              this.test.assertEquals(sanitized.indexOf("alert"), -1, "alert removed");

          });

      });

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				safe_tests = [
				"<p>Hi there</p>",
				'<h1 class="foo">Hi There!</h1>',
				'<a data-cite="foo">citation</a>',
				'<div><span>Hi There</span></div>',
				];

				unsafe_tests = [
				"<script>alert(999);</script>",
				'<a onmouseover="alert(999)">999</a>',
				'<a onmouseover=alert(999)>999</a>',
				'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
				'<IMG SRC=# onmouseover="alert(999)">',
				'<<SCRIPT>alert(999);//<</SCRIPT>',
				'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',
				'<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
				'<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
				'<IFRAME SRC="javascript:alert(999);"></IFRAME>',
				'<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
				'<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
				// CSS is scrubbed
				'<style src="http://untrusted/style.css"></style>',
				'<style>div#notebook { background-color: alert-red; }</style>',
				'<div style="background-color: alert-red;"></div>',
				];

				var truncate = function (s, n) {
				// truncate a string with an ellipsis
				if (s.length > n) {
				return s.substr(0, n-3) + '...';
				} else {
				return s;
				}
				};

				casper.notebook_test(function () {
				this.each(safe_tests, function (self, item) {
				var sanitized = self.evaluate(function (item) {
				return IPython.security.sanitize_html(item);
				}, item);

				// string equality may be too strict, but it works for now
				this.test.assertEquals(sanitized, item, "Safe: '" + truncate(item, 32) + "'");
				});

				this.each(unsafe_tests, function (self, item) {
				var sanitized = self.evaluate(function (item) {
				return IPython.security.sanitize_html(item);
				}, item);

				this.test.assertNotEquals(sanitized, item,
				"Sanitized: '" + truncate(item, 32) +
				"' => '" + truncate(sanitized, 32) + "'"
				);
				this.test.assertEquals(sanitized.indexOf("alert"), -1, "alert removed");
				});
				});