p2yq6ufca
/
monkeyking
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove security.is_safe

Browse Source
MinRK 12 years ago
parent d59e44a190
commit d4780c2cfc
2 changed files with 22 additions and 48 deletions
Show Stats Download Patch File Download Diff File

37
IPython/html/static/base/js/security.js
Unescape View File

@ -17,27 +17,6 @@ IPython.security = (function (IPython) {
var noop = function (x) { return x; };
var cmp_tree = function (a, b) {
// compare two HTML trees
// only checks the tag structure is preserved,
// not any attributes or contents
if (a.length !== b.length) {
return false;
}
for (var i = a.length - 1; i >= 0; i--) {
if ((a[i].tagName || '').toLowerCase() != (b[i].tagName || '').toLowerCase()) {
return false;
}
}
var ac = a.children();
var bc = b.children();
if (ac.length === 0 && bc.length === 0) {
return true;
}
return cmp_tree(ac, bc);
};
var caja;
if (window && window.html) {
caja = window.html;
@ -151,24 +130,8 @@ IPython.security = (function (IPython) {
return sanitize(html).sanitized;
};
var is_safe = function (html) {
// just return bool for whether an HTML string is safe
// this is not currently used for anything other than tests.
var result = sanitize(html);
// caja can strip whole elements without logging,
// so double-check that node structure didn't change
if (result._maybe_safe) {
result.safe = cmp_tree($(result.sanitized), $(html));
} else {
result.safe = false;
}
return result.safe;
};
return {
caja: caja,
is_safe: is_safe,
sanitize: sanitize,
sanitize_html: sanitize_html
};

33
IPython/html/tests/base/security.js
Unescape View File

@ -3,7 +3,6 @@ safe_tests = [
'<h1 class="foo">Hi There!</h1>',
'<a data-cite="foo">citation</a>',
'<div><span>Hi There</span></div>',
'<style>div.foo { background: #ffff; }</style>',
];
unsafe_tests = [
@ -18,29 +17,41 @@ unsafe_tests = [
'<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
'<IFRAME SRC="javascript:alert(999);"></IFRAME>',
'<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
'<style src="http://untrusted/style.css"></style>',
'<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
// CSS is scrubbed
'<style src="http://untrusted/style.css"></style>',
'<style>div#notebook { background-color: alert-red; }</style>',
'<div style="background-color: alert-red;"></div>',
];
var truncate = function (s, n) {
// truncate a string with an ellipsis
if (s.length > n) {
return s.substr(0, n-3) + '...';
} else {
return s;
}
};
casper.notebook_test(function () {
this.each(safe_tests, function (self, item) {
var is_safe = self.evaluate(function (item) {
return IPython.security.is_safe(item);
}, item);
var sanitized = self.evaluate(function (item) {
return IPython.security.sanitize_html(item);
}, item);
this.test.assert(is_safe, "Safe: " + item);
// string equality may be too strict, but it works for now
this.test.assertEquals(sanitized, item, "Safe: '" + truncate(item, 32) + "'");
});
this.each(unsafe_tests, function (self, item) {
var is_safe = self.evaluate(function (item) {
return IPython.security.is_safe(item);
}, item);
this.test.assert(!is_safe, "Unsafe: " + item);
var sanitized = self.evaluate(function (item) {
return IPython.security.sanitize_html(item);
}, item);
this.test.assertEquals(sanitized.indexOf("alert"), -1, "Sanitized " + item);
this.test.assertNotEquals(sanitized, item,
"Sanitized: '" + truncate(item, 32) +
"' => '" + truncate(sanitized, 32) + "'"
);
this.test.assertEquals(sanitized.indexOf("alert"), -1, "alert removed");
});
});
Write Preview
Loading…
Cancel
Save