-
-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding security.js with 1st attempt at is_safe #4973
Closed
Closed
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
524c545
Adding security.js with 1st attempt at is_safe.
ellisonbg db6607f
Don't render insecure Markdown and show warning.
ellisonbg 01c8ac1
Display safe HTML+SVG even if untrusted, but don't set trusted=1.
ellisonbg 360ef93
Adding first round of security tests of is_safe.
ellisonbg File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
//---------------------------------------------------------------------------- | ||
// Copyright (C) 2014 The IPython Development Team | ||
// | ||
// Distributed under the terms of the BSD License. The full license is in | ||
// the file COPYING, distributed as part of this software. | ||
//---------------------------------------------------------------------------- | ||
|
||
//============================================================================ | ||
// Utilities | ||
//============================================================================ | ||
IPython.namespace('IPython.security'); | ||
|
||
IPython.security = (function (IPython) { | ||
"use strict"; | ||
|
||
var utils = IPython.utils; | ||
|
||
var is_safe = function (html) { | ||
// Is the html string safe against JavaScript based attacks. This | ||
// detects 1) black listed tags, 2) blacklisted attributes, 3) all | ||
// event attributes (onhover, onclick, etc.). | ||
var black_tags = ['script', 'style', 'meta', 'iframe', 'embed']; | ||
var black_attrs = ['style']; | ||
var wrapped_html = '<div>'+html+'</div>'; | ||
// First try to parse the HTML. All invalid HTML is unsafe. | ||
try { | ||
var bad_elem = $(wrapped_html); | ||
} catch (e) { | ||
return false; | ||
} | ||
var safe = true; | ||
// Detect black listed tags | ||
$.map(black_tags, function (tag, index) { | ||
if (bad_elem.find(tag).length > 0) { | ||
safe = false; | ||
} | ||
}); | ||
// Detect black listed attributes | ||
$.map(black_attrs, function (attr, index) { | ||
if (bad_elem.find('['+attr+']').length > 0) { | ||
safe = false; | ||
} | ||
}); | ||
bad_elem.find('*').each(function (index) { | ||
$.map(utils.get_attr_names($(this)), function (attr, index) { | ||
if (attr.match('^on')) {safe = false;} | ||
}); | ||
}) | ||
return safe; | ||
} | ||
|
||
return { | ||
is_safe: is_safe | ||
}; | ||
|
||
}(IPython)); | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
safe_tests = [ | ||
"<p>Hi there</p>", | ||
'<h1 class="foo">Hi There!</h1>', | ||
'<div><span>Hi There</span></div>' | ||
]; | ||
|
||
unsafe_tests = [ | ||
"<script>alert(999);</script>", | ||
'<a onmouseover="alert(999)">999</a>', | ||
'<a onmouseover=alert(999)>999</a>', | ||
'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">', | ||
'<IMG SRC=# onmouseover="alert(999)">', | ||
'<<SCRIPT>alert(999);//<</SCRIPT>', | ||
'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >', | ||
'<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">', | ||
'<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">', | ||
'<IFRAME SRC="javascript:alert(999);"></IFRAME>', | ||
'<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>', | ||
'<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>', | ||
]; | ||
|
||
casper.notebook_test(function () { | ||
this.each(safe_tests, function (self, item) { | ||
var is_safe = self.evaluate(function (item) { | ||
return IPython.security.is_safe(item); | ||
}, item); | ||
this.test.assert(is_safe, item); | ||
}); | ||
this.each(unsafe_tests, function (self, item) { | ||
var is_safe = self.evaluate(function (item) { | ||
return IPython.security.is_safe(item); | ||
}, item); | ||
this.test.assert(!is_safe, item); | ||
}); | ||
}); |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is CSS dangerous? Blacklisting style seems a bit dramatic.