2
0
mirror of https://github.com/jupyter/notebook.git synced 2025-01-24 12:05:22 +08:00

don't use result.safe to communicate incomplete information

This commit is contained in:
MinRK 2014-02-25 11:04:06 -08:00
parent 028ce17c62
commit c49f04545a

View File

@ -65,15 +65,17 @@ IPython.security = (function (IPython) {
// {
// src: original_html,
// sanitized: the_sanitized_html,
// safe: bool // false if the sanitizer made any changes
// _maybe_safe: bool // false if the sanitizer definitely made changes.
// This is an incomplete indication,
// only used to indicate whether further verification is necessary.
// }
var result = {
src : html,
safe : true
_maybe_safe : true
};
var record_messages = function (msg, opts) {
console.log("HTML Sanitizer", msg, opts);
result.safe = false;
result._maybe_safe = false;
};
var html4 = caja.html4;
@ -106,8 +108,10 @@ IPython.security = (function (IPython) {
// caja can strip whole elements without logging,
// so double-check that node structure didn't change
if (result.safe) {
if (result._maybe_safe) {
result.safe = cmp_tree($(result.sanitized), $(html));
} else {
result.safe = false;
}
return result.safe;
};