Don't render insecure Markdown and show warning.

12 years ago · 31c9e08fa8
parent fa3f998295
commit 31c9e08fa8
5 changed files with 45 additions and 40 deletions
--- a/IPython/html/static/notebook/js/textcell.js
+++ b/IPython/html/static/notebook/js/textcell.js
@ -20,12 +20,8 @@ var IPython = (function (IPython) {
    "use strict";

    // TextCell base class
-<<<<<<< HEAD
    var keycodes = IPython.keyboard.keycodes;
-=======
-    var key = IPython.utils.keycodes;
    var security = IPython.security;
->>>>>>> 8e23f06... Adding security.js with 1st attempt at is_safe.

    /**
     * Construct a new TextCell, codemirror mode is by default 'htmlmixed', and cell type is 'text'
@ -246,6 +242,17 @@ var IPython = (function (IPython) {
        this.element.find('div.text_cell_render').html(text);
    };

+    TextCell.prototype.insert_security_warning = function() {
+        // Inject a security warning into the TextCell's rendered div.
+        var e = this.element.find('div.text_cell_render');
+        e.empty();
+        var warning = "This cell contains content that is unsafe from a security " +
+                      "standpoint. This unsafe content includes all JavaScript code " +
+                      "and CSS styling. To fix the problem, please edit the cell " +
+                      "and remove the unsafe content."
+        e.append($('<div/>').addClass('alert alert-error').text(warning));
+    }
+
    /**
     * @method at_top
     * @return {Boolean}
@ -349,26 +356,20 @@ var IPython = (function (IPython) {
            text = text_and_math[0];
            math = text_and_math[1];
            var html = marked.parser(marked.lexer(text));
-            html = $(IPython.mathjaxutils.replace_math(html, math));
-            // Links in markdown cells should open in new tabs.
-            html.find("a[href]").not('[href^="#"]').attr("target", "_blank");
-            try {
-                // TODO: This HTML needs to be treated as potentially dangerous
-                // user input and should be handled before set_rendered.         
+            var safe = security.is_safe(html);
+            if (safe) {
+                html = $(IPython.mathjaxutils.replace_math(html, math));
+                // links in markdown cells should open in new tabs
+                html.find("a[href]").not('[href^="#"]').attr("target", "_blank");
                this.set_rendered(html);
-            } catch (e) {
-                console.log("Error running Javascript in Markdown:");
-                console.log(e);
-                this.set_rendered(
-                    $("<div/>")
-                        .append($("<div/>").text('Error rendering Markdown!').addClass("js-error"))
-                        .append($("<div/>").text(e.toString()).addClass("js-error"))
-                        .html()
-                );
+            } else {
+                this.insert_security_warning();
            }
            this.element.find('div.input_area').hide();
            this.element.find("div.text_cell_render").show();
-            this.typeset();
+            if (safe) {
+                this.typeset();
+            }
        }
        return cont;
    };
@ -533,24 +534,24 @@ var IPython = (function (IPython) {
            text = text_and_math[0];
            math = text_and_math[1];
            var html = marked.parser(marked.lexer(text));
-            var h = $(IPython.mathjaxutils.replace_math(html, math));
-            // add id and linkback anchor
-            var hash = h.text().replace(/ /g, '-');
-            h.attr('id', hash);
-            h.append(
-                $('<a/>')
-                    .addClass('anchor-link')
-                    .attr('href', '#' + hash)
-                    .text('¶')
-            );
-            // TODO: This HTML needs to be treated as potentially dangerous
-            // user input and should be handled before set_rendered.         
-            this.set_rendered(h);
-            this.typeset();
-            this.element.find('div.input_area').hide();
+            var safe = security.is_safe(html);
+            if (safe) {
+                var h = $(IPython.mathjaxutils.replace_math(html, math));
+                // add id and linkback anchor
+                var hash = h.text().replace(/ /g, '-');
+                h.attr('id', hash);
+                h.append(
+                    $('<a/>')
+                        .addClass('anchor-link')
+                        .attr('href', '#' + hash)
+                        .text('¶')
+                );
+                this.set_rendered(h);
+            } else {
+                this.insert_security_warning();
+            }
+            this.element.find('div.text_cell_input').hide();
            this.element.find("div.text_cell_render").show();
-
-        }
        return cont;
    };

--- a/IPython/html/static/notebook/less/style_noapp.less
+++ b/IPython/html/static/notebook/less/style_noapp.less
@ -7,4 +7,4 @@
@import "outputarea.less";
@import "renderedhtml.less";
@import "textcell.less";
-@import "widgets.less";
+@import "../../widgets/less/widgets.less";
--- a/IPython/html/static/notebook/less/textcell.less
+++ b/IPython/html/static/notebook/less/textcell.less
@ -11,6 +11,10 @@ div.text_cell_render {
    border-style: none;
    padding: 0.5em 0.5em 0.5em @code_padding;
    color: @textColor;
+    
+    .alert.alert-error {
+        margin: 0px;
+    }
 }

 a.anchor-link:link {
--- a/IPython/html/static/style/ipython.min.css
+++ b/IPython/html/static/style/ipython.min.css
@ -166,7 +166,7 @@ p.p-space{margin-bottom:10px}
 .rendered_html img{display:block;margin-left:auto;margin-right:auto}
 .rendered_html *+img{margin-top:1em}
 div.text_cell{padding:5px 5px 5px 0;display:-webkit-box;-webkit-box-orient:horizontal;-webkit-box-align:stretch;display:-moz-box;-moz-box-orient:horizontal;-moz-box-align:stretch;display:box;box-orient:horizontal;box-align:stretch;display:flex;flex-direction:row;align-items:stretch}
-div.text_cell_render{outline:none;resize:none;width:inherit;border-style:none;padding:.5em .5em .5em .4em;color:#000}
+div.text_cell_render{outline:none;resize:none;width:inherit;border-style:none;padding:.5em .5em .5em .4em;color:#000}div.text_cell_render .alert.alert-error{margin:0}
 a.anchor-link:link{text-decoration:none;padding:0 20px;visibility:hidden}
 h1:hover .anchor-link,h2:hover .anchor-link,h3:hover .anchor-link,h4:hover .anchor-link,h5:hover .anchor-link,h6:hover .anchor-link{visibility:visible}
 div.cell.text_cell.rendered{padding:0}
--- a/IPython/html/static/style/style.min.css
+++ b/IPython/html/static/style/style.min.css
@ -1443,7 +1443,7 @@ p.p-space{margin-bottom:10px}
 .rendered_html img{display:block;margin-left:auto;margin-right:auto}
 .rendered_html *+img{margin-top:1em}
 div.text_cell{padding:5px 5px 5px 0;display:-webkit-box;-webkit-box-orient:horizontal;-webkit-box-align:stretch;display:-moz-box;-moz-box-orient:horizontal;-moz-box-align:stretch;display:box;box-orient:horizontal;box-align:stretch;display:flex;flex-direction:row;align-items:stretch}
-div.text_cell_render{outline:none;resize:none;width:inherit;border-style:none;padding:.5em .5em .5em .4em;color:#000}
+div.text_cell_render{outline:none;resize:none;width:inherit;border-style:none;padding:.5em .5em .5em .4em;color:#000}div.text_cell_render .alert.alert-error{margin:0}
 a.anchor-link:link{text-decoration:none;padding:0 20px;visibility:hidden}
 h1:hover .anchor-link,h2:hover .anchor-link,h3:hover .anchor-link,h4:hover .anchor-link,h5:hover .anchor-link,h6:hover .anchor-link{visibility:visible}
 div.cell.text_cell.rendered{padding:0}