upstream/ipython Files · IPython/html/tests/base/security.js

Backport PR : Remove -i options from mv, rm and cp aliases...

Backport PR : Remove -i options from mv, rm and cp aliases This was arguably useful in the terminal, but it means these aliases can't be used from any of the ZMQ frontends. And users familiar with the shell shouldn't find the default (non -i) behaviour surprising. Supersedes gh-5729, which accidentally included an unrelated change.

MinRK - - Load All Authors

File last commit:

r15653:f66c0b63


                r16680:b3fa2a86

Download file

             security.js
        
                    56 lines
            
             | 2.4 KiB
            
                | application/javascript
            
             |
                JavascriptLexer
            
             / IPython / html / tests / base / security.js
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      safe_tests = [

          "<p>Hi there</p>",

          '<h1 class="foo">Hi There!</h1>',

          '<a data-cite="foo">citation</a>',

          '<div><span>Hi There</span></div>',

      ];

      unsafe_tests = [

          "<script>alert(999);</script>",

          '<a onmouseover="alert(999)">999</a>',

          '<a onmouseover=alert(999)>999</a>',

          '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',

          '<IMG SRC=# onmouseover="alert(999)">',

          '<<SCRIPT>alert(999);//<</SCRIPT>',

          '<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',

          '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',

          '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',

          '<IFRAME SRC="javascript:alert(999);"></IFRAME>',

          '<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',

          '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',

          // CSS is scrubbed

          '<style src="http://untrusted/style.css"></style>',

          '<style>div#notebook { background-color: alert-red; }</style>',

          '<div style="background-color: alert-red;"></div>',

      ];

      var truncate = function (s, n) {

          // truncate a string with an ellipsis

          if (s.length > n) {

              return s.substr(0, n-3) + '...';

          } else {

              return s;

          }

      };

      casper.notebook_test(function () {

          this.each(safe_tests, function (self, item) {

              var sanitized = self.evaluate(function (item) {

                  return IPython.security.sanitize_html(item);

              }, item);

              // string equality may be too strict, but it works for now

              this.test.assertEquals(sanitized, item, "Safe: '" + truncate(item, 32) + "'");

          });

          this.each(unsafe_tests, function (self, item) {

              var sanitized = self.evaluate(function (item) {

                  return IPython.security.sanitize_html(item);

              }, item);

              this.test.assertNotEquals(sanitized, item, 

                  "Sanitized: '" + truncate(item, 32) + 

                  "' => '" + truncate(sanitized, 32) + "'"

              );

              this.test.assertEquals(sanitized.indexOf("alert"), -1, "alert removed");

          });

      });

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				safe_tests = [
				"<p>Hi there</p>",
				'<h1 class="foo">Hi There!</h1>',
				'<a data-cite="foo">citation</a>',
				'<div><span>Hi There</span></div>',
				];

				unsafe_tests = [
				"<script>alert(999);</script>",
				'<a onmouseover="alert(999)">999</a>',
				'<a onmouseover=alert(999)>999</a>',
				'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
				'<IMG SRC=# onmouseover="alert(999)">',
				'<<SCRIPT>alert(999);//<</SCRIPT>',
				'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',
				'<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
				'<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
				'<IFRAME SRC="javascript:alert(999);"></IFRAME>',
				'<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
				'<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
				// CSS is scrubbed
				'<style src="http://untrusted/style.css"></style>',
				'<style>div#notebook { background-color: alert-red; }</style>',
				'<div style="background-color: alert-red;"></div>',
				];

				var truncate = function (s, n) {
				// truncate a string with an ellipsis
				if (s.length > n) {
				return s.substr(0, n-3) + '...';
				} else {
				return s;
				}
				};

				casper.notebook_test(function () {
				this.each(safe_tests, function (self, item) {
				var sanitized = self.evaluate(function (item) {
				return IPython.security.sanitize_html(item);
				}, item);

				// string equality may be too strict, but it works for now
				this.test.assertEquals(sanitized, item, "Safe: '" + truncate(item, 32) + "'");
				});

				this.each(unsafe_tests, function (self, item) {
				var sanitized = self.evaluate(function (item) {
				return IPython.security.sanitize_html(item);
				}, item);

				this.test.assertNotEquals(sanitized, item,
				"Sanitized: '" + truncate(item, 32) +
				"' => '" + truncate(sanitized, 32) + "'"
				);
				this.test.assertEquals(sanitized.indexOf("alert"), -1, "alert removed");
				});
				});