//----------------------------------------------------------------------------
//  Copyright (C) 2014  The IPython Development Team
//
//  Distributed under the terms of the BSD License.  The full license is in
//  the file COPYING, distributed as part of this software.
//----------------------------------------------------------------------------

//============================================================================
// Utilities
//============================================================================
IPython.namespace('IPython.security');

IPython.security = (function (IPython) {
    "use strict";

    var utils = IPython.utils;

    var is_safe = function (html) {
        // Is the html string safe against JavaScript based attacks. This
        // detects 1) black listed tags, 2) blacklisted attributes, 3) all
        // event attributes (onhover, onclick, etc.).
        var black_tags = ['script', 'style', 'meta', 'iframe', 'embed'];
        var black_attrs = ['style'];
        var wrapped_html = '<div>'+html+'</div>';
        // First try to parse the HTML. All invalid HTML is unsafe.
        try {
            var bad_elem = $(wrapped_html);
        } catch (e) {
            return false;
        }
        var safe = true;
        // Detect black listed tags
        $.map(black_tags, function (tag, index) {
            if (bad_elem.find(tag).length > 0) {
                safe = false;
            }
        });
        // Detect black listed attributes
        $.map(black_attrs, function (attr, index) {
            if (bad_elem.find('['+attr+']').length > 0) {
                safe = false;
            }
        });
        bad_elem.find('*').each(function (index) {
            $.map(utils.get_attr_names($(this)), function (attr, index) {
                if (attr.match('^on')) {safe = false;}
            });
        })
        return safe;
    }

    return {
        is_safe: is_safe
    };

}(IPython));