[IPython-dev] Some Thoughts on Notebook Security

Brian Granger ellisonbg@gmail....
Tue Dec 11 00:11:47 CST 2012


Oh, yes forgot about that, we will have to clean that HTML as well.

On Mon, Dec 10, 2012 at 10:05 PM, Jason Grout
<jason-sage@creativetrax.com> wrote:
> On 12/10/12 10:12 PM, Brian Granger wrote:
>> * In CodeCell output, the Javascript repr is dynamically passed
>> into eval.  This only happens when code is run, not when the notebook
>> is loaded, so it is less critical, but still needs to be fixed.
>>
>> To fix this, we need to disable the Javascript representation of
>> objects altogether.
>>
>> Will these two things not completely fix the security problems we
>> currently have?
>
> It appears that IPython.core.display.HTML() allows <script> tags in the
> html the user submits:
>
> import IPython
> IPython.core.display.HTML('<script>alert("hi")</script>')
>
> Thanks,
>
> Jason
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev@scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev



-- 
Brian E. Granger
Cal Poly State University, San Luis Obispo
bgranger@calpoly.edu and ellisonbg@gmail.com


More information about the IPython-dev mailing list