Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
Avatar for KuCalc : devops.
 Download
50659 views
Tweet
Share
Share
1
//----------------------------------------------------------------------------

2
//  Copyright (C) 2014  The IPython Development Team

3
//

4
//  Distributed under the terms of the BSD License.  The full license is in

5
//  the file COPYING, distributed as part of this software.

6
//----------------------------------------------------------------------------

7


8
//============================================================================

9
// Utilities

10
//============================================================================

11
IPython.namespace('IPython.security');

12


13
IPython.security = (function (IPython) {

14
    "use strict";

15


16
    var utils = IPython.utils;

17
    

18
    var noop = function (x) { return x; };

19
    

20
    var caja;

21
    if (window && window.html) {

22
        caja = window.html;

23
        caja.html4 = window.html4;

24
        caja.sanitizeStylesheet = window.sanitizeStylesheet;

25
    }

26
    

27
    var sanitizeAttribs = function (tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) {

28
        // add trusting data-attributes to the default sanitizeAttribs from caja

29
        // this function is mostly copied from the caja source

30
        var ATTRIBS = caja.html4.ATTRIBS;

31
        for (var i = 0; i < attribs.length; i += 2) {

32
            var attribName = attribs[i];

33
            if (attribName.substr(0,5) == 'data-') {

34
                var attribKey = '*::' + attribName;

35
                if (!ATTRIBS.hasOwnProperty(attribKey)) {

36
                    ATTRIBS[attribKey] = 0;

37
                }

38
            }

39
        }

40
        return caja.sanitizeAttribs(tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger);

41
    };

42
    

43
    var sanitize_css = function (css, tagPolicy) {

44
        // sanitize CSS

45
        // like sanitize_html, but for CSS

46
        // called by sanitize_stylesheets

47
        return caja.sanitizeStylesheet(

48
            window.location.pathname,

49
            css,

50
            {

51
                containerClass: null,

52
                idSuffix: '',

53
                tagPolicy: tagPolicy,

54
                virtualizeAttrName: noop

55
            },

56
            noop

57
        );

58
    };

59
    

60
    var sanitize_stylesheets = function (html, tagPolicy) {

61
        // sanitize just the css in style tags in a block of html

62
        // called by sanitize_html, if allow_css is true

63
        var h = $("<div/>").append(html);

64
        var style_tags = h.find("style");

65
        if (!style_tags.length) {

66
            // no style tags to sanitize

67
            return html;

68
        }

69
        style_tags.each(function(i, style) {

70
            style.innerHTML = sanitize_css(style.innerHTML, tagPolicy);

71
        });

72
        return h.html();

73
    };

74
    

75
    var sanitize_html = function (html, allow_css) {

76
        // sanitize HTML

77
        // if allow_css is true (default: false), CSS is sanitized as well.

78
        // otherwise, CSS elements and attributes are simply removed.

79
        var html4 = caja.html4;

80


81
        if (allow_css) {

82
            // allow sanitization of style tags,

83
            // not just scrubbing

84
            html4.ELEMENTS.style &= ~html4.eflags.UNSAFE;

85
            html4.ATTRIBS.style = html4.atype.STYLE;

86
        } else {

87
            // scrub all CSS

88
            html4.ELEMENTS.style |= html4.eflags.UNSAFE;

89
            html4.ATTRIBS.style = html4.atype.SCRIPT;

90
        }

91
        

92
        var record_messages = function (msg, opts) {

93
            console.log("HTML Sanitizer", msg, opts);

94
        };

95
        

96
        var policy = function (tagName, attribs) {

97
            if (!(html4.ELEMENTS[tagName] & html4.eflags.UNSAFE)) {

98
                return {

99
                    'attribs': sanitizeAttribs(tagName, attribs,

100
                        noop, noop, record_messages)

101
                    };

102
            } else {

103
                record_messages(tagName + " removed", {

104
                  change: "removed",

105
                  tagName: tagName

106
                });

107
            }

108
        };

109
        

110
        var sanitized = caja.sanitizeWithPolicy(html, policy);

111
        

112
        if (allow_css) {

113
            // sanitize style tags as stylesheets

114
            sanitized = sanitize_stylesheets(result.sanitized, policy);

115
        }

116
        

117
        return sanitized;

118
    };

119
    

120
    return {

121
        caja: caja,

122
        sanitize_html: sanitize_html

123
    };

124


125
}(IPython));

126


127


128