Home Esplora Aiuto
Registrati Accedi
dayuan
/
manyi
6
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Albero (Tree): 34216f9fac
Rami (Branch) Tag
manyi
/
venv
/
Lib
/
site-packages
/
notebook
/
tests
/
base
/
security.js

security.js 2.4 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 
  1. safe_tests = [
    2. 

  2.     "<p>Hi there</p>",
    3. 

  3.     '<h1 class="foo">Hi There!</h1>',
    4. 

  4.     '<a data-cite="foo">citation</a>',
    5. 

  5.     '<div><span>Hi There</span></div>',
    6. 

  6. ];
    7. 

  7. 

  8. unsafe_tests = [
    9. 

  9.     "<script>alert(999);</script>",
    10. 

  10.     '<a onmouseover="alert(999)">999</a>',
    11. 

  11.     '<a onmouseover=alert(999)>999</a>',
    12. 

  12.     '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
    13. 

  13.     '<IMG SRC=# onmouseover="alert(999)">',
    14. 

  14.     '<<SCRIPT>alert(999);//<</SCRIPT>',
    15. 

  15.     '<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',
    16. 

  16.     '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
    17. 

  17.     '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
    18. 

  18.     '<IFRAME SRC="javascript:alert(999);"></IFRAME>',
    19. 

  19.     '<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
    20. 

  20.     '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
    21. 

  21.     // CSS is scrubbed
    22. 

  22.     '<style src="http://untrusted/style.css"></style>',
    23. 

  23.     '<style>div#notebook { background-color: alert-red; }</style>',
    24. 

  24.     '<div style="background-color: alert-red;"></div>',
    25. 

  25. ];
    26. 

  26. 

  27. var truncate = function (s, n) {
    28. 

  28.     // truncate a string with an ellipsis
    29. 

  29.     if (s.length > n) {
    30. 

  30.         return s.substr(0, n-3) + '...';
    31. 

  31.     } else {
    32. 

  32.         return s;
    33. 

  33.     }
    34. 

  34. };
    35. 

  35. 

  36. casper.notebook_test(function () {
    37. 

  37.     this.each(safe_tests, function (self, item) {
    38. 

  38.         var sanitized = self.evaluate(function (item) {
    39. 

  39.             return IPython.security.sanitize_html(item);
    40. 

  40.         }, item);
    41. 

  41.         
    42. 

  42.         // string equality may be too strict, but it works for now
    43. 

  43.         this.test.assertEquals(sanitized, item, "Safe: '" + truncate(item, 32) + "'");
    44. 

  44.     });
    45. 

  45.     
    46. 

  46.     this.each(unsafe_tests, function (self, item) {
    47. 

  47.         var sanitized = self.evaluate(function (item) {
    48. 

  48.             return IPython.security.sanitize_html(item);
    49. 

  49.         }, item);
    50. 

  50.         
    51. 

  51.         this.test.assertNotEquals(sanitized, item, 
    52. 

  52.             "Sanitized: '" + truncate(item, 32) + 
    53. 

  53.             "' => '" + truncate(sanitized, 32) + "'"
    54. 

  54.         );
    55. 

  55.         this.test.assertEquals(sanitized.indexOf("alert"), -1, "alert removed");
    56. 

  56.     });
    57. 

  57. });
    58.