From 86c7e8fb33afc4b24b316bce72ca612756d72eb8 Mon Sep 17 00:00:00 2001 From: RRosio Date: Fri, 5 Sep 2025 14:10:18 -0700 Subject: [PATCH 1/2] remove google-caja sanitizer --- .github/workflows/js.yml | 4 - package.json | 1 - patches/google-caja-sanitizer+1.0.4.patch | 34 ----- postinstall.js | 1 - tools/security_deprecated.js | 152 ---------------------- 5 files changed, 192 deletions(-) delete mode 100644 patches/google-caja-sanitizer+1.0.4.patch delete mode 100644 tools/security_deprecated.js diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml index d573dc831..adc9d3826 100644 --- a/.github/workflows/js.yml +++ b/.github/workflows/js.yml @@ -71,10 +71,6 @@ jobs: restore-keys: | ${{ runner.os }}-pip-${{ env.python-version }} - - name: Temporary workaround for sanitizer loading in JS Tests - run: | - cp tools/security_deprecated.js nbclassic/static/base/js/security.js - - name: Install dependencies run: | pip install --upgrade pip diff --git a/package.json b/package.json index 40d4e3451..b938a0b66 100644 --- a/package.json +++ b/package.json @@ -63,7 +63,6 @@ "mathjax": "^2.7.4", "codemirror": "~5.58.2", "es6-promise": "~1.0", - "google-caja-sanitizer": "~1.0.4", "jed": "~1.1.1", "jquery": "~3.7.1", "jquery-typeahead": "~2.11.1", diff --git a/patches/google-caja-sanitizer+1.0.4.patch b/patches/google-caja-sanitizer+1.0.4.patch deleted file mode 100644 index d71e31f98..000000000 --- a/patches/google-caja-sanitizer+1.0.4.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff --git a/node_modules/google-caja-sanitizer/sanitizer.js b/node_modules/google-caja-sanitizer/sanitizer.js -index bf8ff98..43e8173 100644 ---- a/node_modules/google-caja-sanitizer/sanitizer.js -+++ b/node_modules/google-caja-sanitizer/sanitizer.js -@@ -4919,16 +4919,16 @@ var html = (function(html4) { - })(html4); - - --exports.escapeAttrib = html.escapeAttrib; --exports.makeHtmlSanitizer = html.makeHtmlSanitizer; --exports.makeSaxParser = html.makeSaxParser; --exports.makeTagPolicy = html.makeTagPolicy; --exports.normalizeRCData = html.normalizeRCData; --exports.sanitize = html.sanitize; --exports.smartSanitize = function (string, urlX, idX) { -- string = string.replace(/<([a-zA-Z]+)([^>]*)\/>/g, '<$1$2>'); -- return html.sanitize(string, urlX, idX); --} --exports.sanitizeAttribs = html.sanitizeAttribs; --exports.sanitizeWithPolicy = html.sanitizeWithPolicy; --exports.unescapeEntities = html.unescapeEntities; -+// exports.escapeAttrib = html.escapeAttrib; -+// exports.makeHtmlSanitizer = html.makeHtmlSanitizer; -+// exports.makeSaxParser = html.makeSaxParser; -+// exports.makeTagPolicy = html.makeTagPolicy; -+// exports.normalizeRCData = html.normalizeRCData; -+// exports.sanitize = html.sanitize; -+// exports.smartSanitize = function (string, urlX, idX) { -+// string = string.replace(/<([a-zA-Z]+)([^>]*)\/>/g, '<$1$2>'); -+// return html.sanitize(string, urlX, idX); -+// } -+// exports.sanitizeAttribs = html.sanitizeAttribs; -+// exports.sanitizeWithPolicy = html.sanitizeWithPolicy; -+// exports.unescapeEntities = html.unescapeEntities; diff --git a/postinstall.js b/postinstall.js index ecbcb4891..31cdd6b18 100644 --- a/postinstall.js +++ b/postinstall.js @@ -71,7 +71,6 @@ ensureDir("nbclassic/static/components"); "requirejs", "requirejs-plugins", "requirejs-text", - "google-caja-sanitizer", "mathjax", ].forEach((pkg) => { const dst = pkg === "mathjax" ? "MathJax" : pkg; diff --git a/tools/security_deprecated.js b/tools/security_deprecated.js deleted file mode 100644 index 3745f13d9..000000000 --- a/tools/security_deprecated.js +++ /dev/null @@ -1,152 +0,0 @@ -// Copyright (c) Jupyter Development Team. -// Distributed under the terms of the Modified BSD License. - -define([ - 'jquery', - 'components/google-caja-sanitizer/sanitizer', -], function($, sanitize) { - "use strict"; - - var noop = function (x) { return x; }; - - var caja; - if (window && window.html) { - caja = window.html; - caja.html4 = window.html4; - caja.sanitizeStylesheet = window.sanitizeStylesheet; - } - - var sanitizeAttribs = function (tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) { - /** - * add trusting data-attributes to the default sanitizeAttribs from caja - * this function is mostly copied from the caja source - */ - var ATTRIBS = caja.html4.ATTRIBS; - for (var i = 0; i < attribs.length; i += 2) { - var attribName = attribs[i]; - if (attribName.substr(0,5) == 'data-') { - var attribKey = '*::' + attribName; - if (!ATTRIBS.hasOwnProperty(attribKey)) { - ATTRIBS[attribKey] = 0; - } - } - } - // Caja doesn't allow data uri for img::src, see - // https://github.com/google/caja/issues/1558 - // This is not a security issue for browser post ie6 though, so we - // disable the check - // https://www.owasp.org/index.php/Script_in_IMG_tags - ATTRIBS['img::src'] = 0; - return caja.sanitizeAttribs(tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger); - }; - - var sanitize_css = function (css, tagPolicy) { - /** - * sanitize CSS - * like sanitize_html, but for CSS - * called by sanitize_stylesheets - */ - return caja.sanitizeStylesheet( - window.location.pathname, - css, - { - containerClass: null, - idSuffix: '', - tagPolicy: tagPolicy, - virtualizeAttrName: noop - }, - noop - ); - }; - - var sanitize_stylesheets = function (html, tagPolicy) { - /** - * sanitize just the css in style tags in a block of html - * called by sanitize_html, if allow_css is true - */ - var h = $("
").append(html); - var style_tags = h.find("style"); - if (!style_tags.length) { - // no style tags to sanitize - return html; - } - style_tags.each(function(i, style) { - style.innerHTML = sanitize_css(style.innerHTML, tagPolicy); - }); - return h.html(); - }; - - var sanitize_html = function (html, allow_css) { - /** - * sanitize HTML - * if allow_css is true (default: false), CSS is sanitized as well. - * otherwise, CSS elements and attributes are simply removed. - */ - var html4 = caja.html4; - - if (allow_css) { - // allow sanitization of style tags, - // not just scrubbing - html4.ELEMENTS.style &= ~html4.eflags.UNSAFE; - html4.ATTRIBS.style = html4.atype.STYLE; - } else { - // scrub all CSS - html4.ELEMENTS.style |= html4.eflags.UNSAFE; - html4.ATTRIBS.style = html4.atype.SCRIPT; - } - - var record_messages = function (msg, opts) { - console.log("HTML Sanitizer", msg, opts); - }; - - var policy = function (tagName, attribs) { - if (!(html4.ELEMENTS[tagName] & html4.eflags.UNSAFE)) { - return { - 'attribs': sanitizeAttribs(tagName, attribs, - noop, noop, record_messages) - }; - } else { - record_messages(tagName + " removed", { - change: "removed", - tagName: tagName - }); - } - }; - - var sanitized = caja.sanitizeWithPolicy(html, policy); - - if (allow_css) { - // sanitize style tags as stylesheets - sanitized = sanitize_stylesheets(sanitized, policy); - } - - return sanitized; - }; - - var sanitize_html_and_parse = function (html, allow_css) { - /** - * Sanitize HTML and parse it safely using jQuery. - * - * This disable's jQuery's html 'prefilter', which can make invalid - * HTML valid after the sanitizer has checked it. - * - * Returns an array of DOM nodes. - */ - var sanitized_html = sanitize_html(html, allow_css); - var prev_htmlPrefilter = $.htmlPrefilter; - $.htmlPrefilter = function(html) {return html;}; // Don't modify HTML - try { - return $.parseHTML(sanitized_html); - } finally { - $.htmlPrefilter = prev_htmlPrefilter; // Set it back again - } - }; - - var security = { - caja: caja, - sanitize_html_and_parse: sanitize_html_and_parse, - sanitize_html: sanitize_html - }; - - return security; -}); From 308c61ec8d60929b4c19f6ab48251364ac43176a Mon Sep 17 00:00:00 2001 From: RRosio Date: Fri, 5 Sep 2025 14:19:56 -0700 Subject: [PATCH 2/2] remove google-caja sanitizer file from force-include --- pyproject.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 42651f0a6..348d28c11 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -129,7 +129,6 @@ artifacts = [ "nbclassic/static/components/bootstrap-tour/build/js/bootstrap-tour.min.js" = "nbclassic/static/components/bootstrap-tour/build/js/bootstrap-tour.min.js" "nbclassic/static/components/bootstrap/dist/js/bootstrap.min.js" = "nbclassic/static/components/bootstrap/dist/js/bootstrap.min.js" "nbclassic/static/components/create-react-class/index.js" = "nbclassic/static/components/create-react-class/index.js" -"nbclassic/static/components/google-caja-sanitizer/sanitizer.js" = "nbclassic/static/components/google-caja-sanitizer/sanitizer.js" "nbclassic/static/components/jed/jed.js" = "nbclassic/static/components/jed/jed.js" "nbclassic/static/components/jquery/dist/jquery.min.js" = "nbclassic/static/components/jquery/dist/jquery.min.js" "nbclassic/static/components/jquery-typeahead/dist/jquery.typeahead.min.js" = "nbclassic/static/components/jquery-typeahead/dist/jquery.typeahead.min.js"