From 6c5a4ec11565e497867aad52b58cc7c8669090e3 Mon Sep 17 00:00:00 2001 From: Matthias Bussonnier Date: Sat, 17 Jan 2015 16:46:06 +0100 Subject: [PATCH 1/2] Sanitize dialog text-body. Mitigate 7486, could probably be improved, but treat text as pure text, but assume that when received a dome element it actually come from a secure source. Sanitizing all we get, including Dom Element break json-metadata editor and a few others. --- IPython/html/static/base/js/dialog.js | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/IPython/html/static/base/js/dialog.js b/IPython/html/static/base/js/dialog.js index 25d03d9dd..97aa47d91 100644 --- a/IPython/html/static/base/js/dialog.js +++ b/IPython/html/static/base/js/dialog.js @@ -1,12 +1,12 @@ // Copyright (c) IPython Development Team. // Distributed under the terms of the Modified BSD License. -define([ - 'base/js/namespace', - 'jquery', - 'codemirror/lib/codemirror', -], function(IPython, $, CodeMirror) { +define(function(require) { "use strict"; + + var CodeMirror = require('codemirror/lib/codemirror'); + var IPython = require('base/js/namespace'); + var $ = require('jquery'); var modal = function (options) { @@ -20,6 +20,9 @@ define([ var dialog_content = $("
") .addClass("modal-content") .appendTo(dialog); + if(typeof(options.body) === 'string'){ + options.body = $("

").text(options.body) + } dialog_content.append( $("

") .addClass("modal-header") @@ -32,7 +35,7 @@ define([ ).append( $("

") .addClass('modal-title') - .text(options.title || "") + .text(options.title || "No Title") ) ).append( $("
").addClass("modal-body").append( From b52467a9669e2e81e8af87ea6fe8e83cc4f36de0 Mon Sep 17 00:00:00 2001 From: Bussonnier Matthias Date: Tue, 20 Jan 2015 15:29:08 +0100 Subject: [PATCH 2/2] sanitize only of text and not explicitely asked not to. also some docs. --- IPython/html/static/base/js/dialog.js | 33 +++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/IPython/html/static/base/js/dialog.js b/IPython/html/static/base/js/dialog.js index 97aa47d91..79ac239d5 100644 --- a/IPython/html/static/base/js/dialog.js +++ b/IPython/html/static/base/js/dialog.js @@ -8,6 +8,35 @@ define(function(require) { var IPython = require('base/js/namespace'); var $ = require('jquery'); + /** + * A wrapper around bootstrap modal for easier use + * Pass it an option dictionary with the following properties: + * + * - body : or , main content of the dialog + * if pass a it will be wrapped in a p tag and + * html element escaped, unless you specify sanitize=false + * option. + * - title : Dialog title, default to empty string. + * - buttons : dict of btn_options who keys are button label. + * see btn_options below for description + * - open : callback to trigger on dialog open. + * - destroy: + * - notebook : notebook instance + * - keyboard_manager: keyboard manager instance. + * + * Unlike bootstrap modals, the backdrop options is set by default + * to 'static'. + * + * The rest of the options are passed as is to bootstrap modals. + * + * btn_options: dict with the following property: + * + * - click : callback to trigger on click + * - class : css classes to add to button. + * + * + * + **/ var modal = function (options) { var modal = $("
") @@ -20,7 +49,7 @@ define(function(require) { var dialog_content = $("
") .addClass("modal-content") .appendTo(dialog); - if(typeof(options.body) === 'string'){ + if(typeof(options.body) === 'string' && options.sanitize !== false){ options.body = $("

").text(options.body) } dialog_content.append( @@ -35,7 +64,7 @@ define(function(require) { ).append( $("

") .addClass('modal-title') - .text(options.title || "No Title") + .text(options.title || "") ) ).append( $("
").addClass("modal-body").append(