Adding security.js with 1st attempt at is_safe.

IPython/html/static/base/js/security.js

@@ -0,0 +1,52 @@
+//----------------------------------------------------------------------------
+//  Copyright (C) 2014  The IPython Development Team
+//
+//  Distributed under the terms of the BSD License.  The full license is in
+//  the file COPYING, distributed as part of this software.
+//----------------------------------------------------------------------------
+
+//============================================================================
+// Utilities
+//============================================================================
+IPython.namespace('IPython.security');
+
+IPython.security = (function (IPython) {
+    "use strict";
+
+    var utils = IPython.utils;
+
+    var is_safe = function (html) {
+        // Is the html string safe against JavaScript based attacks. This
+        // detects 1) black listed tags, 2) blacklisted attributes, 3) all
+        // event attributes (onhover, onclick, etc.).
+        var black_tags = ['script', 'style'];
+        var black_attrs = ['style'];
+        var wrapped_html = '<div>'+html+'</div>';
+        var e = $(wrapped_html);
+        var safe = true;
+        // Detect black listed tags
+        $.map(black_tags, function (tag, index) {
+            if (e.find(tag).length > 0) {
+                safe = false;
+            }
+        });
+        // Detect black listed attributes
+        $.map(black_attrs, function (attr, index) {
+            if (e.find('['+attr+']').length > 0) {
+                safe = false;
+            }
+        });
+        e.find('*').each(function (index) {
+            $.map(utils.get_attr_names($(this)), function (attr, index) {
+                if (attr.match('^on')) {safe = false;}
+            });
+        })
+        return safe;
+    }
+
+    return {
+        is_safe: is_safe
+    };
+
+}(IPython));
+

IPython/html/static/base/js/utils.js

@@ -488,6 +488,15 @@ IPython.utils = (function (IPython) {
         }
     }
 
+    var get_attr_names = function (e) {
+        // Get the names of all the HTML attributes of the element e.
+        var el = $(e)[0];
+        var arr = [];
+        for (var i=0, attrs=el.attributes, l=attrs.length; i<l; i++){
+            arr.push(attrs.item(i).nodeName);
+        }
+        return arr;
+    }
 
     return {
         regex_split : regex_split,
@@ -507,7 +516,8 @@ IPython.utils = (function (IPython) {
         browser : browser,
         platform: platform,
         is_or_has : is_or_has,
-        is_focused : is_focused
+        is_focused : is_focused,
+        get_attr_names: get_attr_names
     };
 
 }(IPython));

IPython/html/static/notebook/js/textcell.js

@@ -20,7 +20,12 @@ var IPython = (function (IPython) {
     "use strict";
 
     // TextCell base class
+<<<<<<< HEAD
     var keycodes = IPython.keyboard.keycodes;
+=======
+    var key = IPython.utils.keycodes;
+    var security = IPython.security;
+>>>>>>> 8e23f06... Adding security.js with 1st attempt at is_safe.
 
     /**
      * Construct a new TextCell, codemirror mode is by default 'htmlmixed', and cell type is 'text'

IPython/html/templates/notebook.html

@@ -318,6 +318,7 @@ class="notebook_app"
 <script src="{{ static_url("base/js/events.js") }}" type="text/javascript" charset="utf-8"></script>
 <script src="{{ static_url("base/js/utils.js") }}" type="text/javascript" charset="utf-8"></script>
 <script src="{{ static_url("base/js/keyboard.js") }}" type="text/javascript" charset="utf-8"></script>
+<script src="{{ static_url("base/js/security.js") }}" type="text/javascript" charset="utf-8"></script>
 <script src="{{ static_url("base/js/dialog.js") }}" type="text/javascript" charset="utf-8"></script>
 <script src="{{ static_url("services/kernels/js/kernel.js") }}" type="text/javascript" charset="utf-8"></script>
 <script src="{{ static_url("services/kernels/js/comm.js") }}" type="text/javascript" charset="utf-8"></script>