Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
Avatar for KuCalc : devops.
 Download
50650 views
Tweet
Share
Share
1
// Copyright (c) IPython Development Team.

2
// Distributed under the terms of the Modified BSD License.

3


4
define([

5
    'base/js/namespace',

6
    'jquery',

7
    'components/google-caja/html-css-sanitizer-minified',

8
], function(IPython, $) {

9
    "use strict";

10
    

11
    var noop = function (x) { return x; };

12
    

13
    var caja;

14
    if (window && window.html) {

15
        caja = window.html;

16
        caja.html4 = window.html4;

17
        caja.sanitizeStylesheet = window.sanitizeStylesheet;

18
    }

19
    

20
    var sanitizeAttribs = function (tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) {

21
        /**

22
         * add trusting data-attributes to the default sanitizeAttribs from caja

23
         * this function is mostly copied from the caja source

24
         */

25
        var ATTRIBS = caja.html4.ATTRIBS;

26
        for (var i = 0; i < attribs.length; i += 2) {

27
            var attribName = attribs[i];

28
            if (attribName.substr(0,5) == 'data-') {

29
                var attribKey = '*::' + attribName;

30
                if (!ATTRIBS.hasOwnProperty(attribKey)) {

31
                    ATTRIBS[attribKey] = 0;

32
                }

33
            }

34
        }

35
        return caja.sanitizeAttribs(tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger);

36
    };

37
    

38
    var sanitize_css = function (css, tagPolicy) {

39
        /**

40
         * sanitize CSS

41
         * like sanitize_html, but for CSS

42
         * called by sanitize_stylesheets

43
         */

44
        return caja.sanitizeStylesheet(

45
            window.location.pathname,

46
            css,

47
            {

48
                containerClass: null,

49
                idSuffix: '',

50
                tagPolicy: tagPolicy,

51
                virtualizeAttrName: noop

52
            },

53
            noop

54
        );

55
    };

56
    

57
    var sanitize_stylesheets = function (html, tagPolicy) {

58
        /**

59
         * sanitize just the css in style tags in a block of html

60
         * called by sanitize_html, if allow_css is true

61
         */

62
        var h = $("<div/>").append(html);

63
        var style_tags = h.find("style");

64
        if (!style_tags.length) {

65
            // no style tags to sanitize

66
            return html;

67
        }

68
        style_tags.each(function(i, style) {

69
            style.innerHTML = sanitize_css(style.innerHTML, tagPolicy);

70
        });

71
        return h.html();

72
    };

73
    

74
    var sanitize_html = function (html, allow_css) {

75
        /**

76
         * sanitize HTML

77
         * if allow_css is true (default: false), CSS is sanitized as well.

78
         * otherwise, CSS elements and attributes are simply removed.

79
         */

80
        var html4 = caja.html4;

81


82
        if (allow_css) {

83
            // allow sanitization of style tags,

84
            // not just scrubbing

85
            html4.ELEMENTS.style &= ~html4.eflags.UNSAFE;

86
            html4.ATTRIBS.style = html4.atype.STYLE;

87
        } else {

88
            // scrub all CSS

89
            html4.ELEMENTS.style |= html4.eflags.UNSAFE;

90
            html4.ATTRIBS.style = html4.atype.SCRIPT;

91
        }

92
        

93
        var record_messages = function (msg, opts) {

94
            console.log("HTML Sanitizer", msg, opts);

95
        };

96
        

97
        var policy = function (tagName, attribs) {

98
            if (!(html4.ELEMENTS[tagName] & html4.eflags.UNSAFE)) {

99
                return {

100
                    'attribs': sanitizeAttribs(tagName, attribs,

101
                        noop, noop, record_messages)

102
                    };

103
            } else {

104
                record_messages(tagName + " removed", {

105
                  change: "removed",

106
                  tagName: tagName

107
                });

108
            }

109
        };

110
        

111
        var sanitized = caja.sanitizeWithPolicy(html, policy);

112
        

113
        if (allow_css) {

114
            // sanitize style tags as stylesheets

115
            sanitized = sanitize_stylesheets(result.sanitized, policy);

116
        }

117
        

118
        return sanitized;

119
    };

120
    

121
    var security = {

122
        caja: caja,

123
        sanitize_html: sanitize_html

124
    };

125


126
    IPython.security = security;

127


128
    return security;

129
});

130


131