[IPython-dev] Scipy central & IPython notebook.
Mon Sep 24 16:22:27 CDT 2012
On Mon, Sep 24, 2012 at 2:20 PM, Matthias BUSSONNIER
> Le 24 sept. 2012 à 23:11, Brian Granger a écrit :
>> On Mon, Sep 24, 2012 at 12:31 PM, Jason Grout
>> <firstname.lastname@example.org> wrote:
>>> On 9/24/12 2:19 PM, Brian Granger wrote:
>>>>> Certainly not as is !
>>>>>> or user that **trust** ipython.org
>>>> I am beginning to think we should remove <script> tags from markdown
>>>> cells because of this.
>>> Don't serve user-generated content from ipython.org. Serve
>>> user-generated content from something like pylab-central.org or
>>> something. Some time ago, someone (William Stein maybe?) forwarded to
>>> me a talk from someone at google which said something to the effect that
>>> taking care of all the vulnerabilities is *hard*, and google finally
>>> just decided to serve any untrusted content from a different domain.
>>> (yeah, I know---that chain of hearsay is not extremely inspiring...).
>>> I'm CCing William in hopes that maybe he was the one that forwarded the
>>> story and can find it (I've looked but can't find it).
>> For us it is not as simple as using a different domain because of the
>> * Get the JS code embedded in a string inside a JSON message.
>> * We unpack it and then eval it in the context of the cells output area.
> For notebook, yes, not for nbviewer.
> Displayed js is not evaluated in nbviewer, only script tags.
> Even displayed js is not evaluated when loading notebooks.
Right, thanks for the clarification.
> IPython-dev mailing list
Brian E. Granger
Cal Poly State University, San Luis Obispo
email@example.com and firstname.lastname@example.org
More information about the IPython-dev