[IPython-dev] Some Thoughts on Notebook Security

Jason Grout jason-sage@creativetrax....
Tue Dec 11 00:05:59 CST 2012


On 12/10/12 10:12 PM, Brian Granger wrote:
> * In CodeCell output, the Javascript repr is dynamically passed
> into eval.  This only happens when code is run, not when the notebook
> is loaded, so it is less critical, but still needs to be fixed.
>
> To fix this, we need to disable the Javascript representation of
> objects altogether.
>
> Will these two things not completely fix the security problems we
> currently have?

It appears that IPython.core.display.HTML() allows <script> tags in the 
html the user submits:

import IPython
IPython.core.display.HTML('<script>alert("hi")</script>')

Thanks,

Jason



More information about the IPython-dev mailing list