Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit .html() calls take #2 #5175

Merged
merged 5 commits into from Feb 28, 2014
Merged

Audit .html() calls take #2 #5175

merged 5 commits into from Feb 28, 2014

Conversation

jdfreder
Copy link
Member

sequel to #5041
closes #5034

minrk
minrk reviewed Feb 20, 2014
View reviewed changes
IPython/html/static/notebook/js/outputarea.js
@@ -447,6 +446,8 @@ var IPython = (function (IPython) {
var pre = this.element.find('div.'+subclass).last().find('pre');
var html = utils.fixCarriageReturn(
pre.html() + utils.fixConsole(text));
// The only user content injected with with this HTML call is
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with with

@jdfreder
Copy link
Member Author

@minrk I moved the todos into the set_rendered methods and replaced the with with typo's (copied and pasted a couple places).

minrk
minrk reviewed Feb 21, 2014
View reviewed changes
IPython/html/static/notebook/js/textcell.js
@@ -245,6 +245,8 @@ var IPython = (function (IPython) {
* @method set_rendered
*/
TextCell.prototype.set_rendered = function(text) {
// TODO: This HTML needs to be treated as potentially dangerous
// user input.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This suggests that this method should be made safe in a future fix, which I do not think is true. set_rendered ought to be treated as an unsafe method, and any user html should be cleaned before calling set_rendered.

@jdfreder
Copy link
Member Author

@minrk the last commit treats set_rendered as unsafe.

minrk
minrk reviewed Feb 21, 2014
View reviewed changes
IPython/html/static/notebook/js/textcell.js
rendered.append(
$("<div/>")
.append($("<div/>").text('Error rendering Markdown!').addClass("js-error"))
.append($("<div/>").text(e.toString()).addClass("js-error"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this block should go back to calling set_rendered

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a possibility that e.toString() can have use injected html? Some sort of manipulation of the input such that it throws an error with user content (should I add a TODO here?)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't revert the whole change, you can still use .text here, just use set_rendered instead of rendered.append (since rendered is undefined now).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh doh! Gotcha

@jdfreder
Copy link
Member Author

I'm going to give this a test locally to make sure things still work.

@jdfreder
Copy link
Member Author

This works locally

@ellisonbg
Copy link
Member

I think this looks good. Have you gone through all the .html() calls at this point?

@jdfreder
Copy link
Member Author

Have you gone through all the .html() calls at this point?

Yes, there are quite a few .html('') and literals that are untouched (but don't need to be).

ellisonbg
ellisonbg reviewed Feb 27, 2014
View reviewed changes
IPython/html/static/notebook/js/outputarea.js
element
.append($('<div/>').text(msg).addClass('js-error'))
.append($('<div/>').text(err.toString()).addClass('js-error'))
.append($('<div/>').text('See your browser Javascript console for more details.').addClass('js-error'));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this missing the leading <br/> tag from above?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't need br because there are multiple divs, where there was one div with explicit br before.

@ellisonbg
Copy link
Member

A few comments, but probably ready to go.

ellisonbg added a commit that referenced this pull request Feb 28, 2014
@ellisonbg
Merge pull request #5175 from jdfreder/html-take2
c8e370d 
Audit .html() calls take #2
@ellisonbg ellisonbg merged commit c8e370d into ipython:master Feb 28, 2014
@jdfreder jdfreder deleted the html-take2 branch March 10, 2014 18:42
mattvonrocketstein pushed a commit to mattvonrocketstein/ipython that referenced this pull request Nov 3, 2014
@ellisonbg
Merge pull request ipython#5175 from jdfreder/html-take2
6966989 
Audit .html() calls take ipython#2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.0
Development

Successfully merging this pull request may close these issues.

Audit the places where we call .html(something)
3 participants
@jdfreder @ellisonbg @minrk