[IPython-dev] D3js and IPython

MinRK benjaminrk@gmail....
Wed Jan 9 19:34:30 CST 2013


On Wed, Jan 9, 2013 at 4:49 PM, Brian Granger <ellisonbg@gmail.com> wrote:

> > I really can't imagine that it will come to this - you are talking about
> > disabling pandas table printing,
> > and simple rich text reprs.  That doesn't seem tenable.  It's also
> disabling
> > sized images, since our message spec so far has foolishly excluded shape
> > information for images, etc, or the ability to display any kind of
> > formatting (e.g. two images side-by-side).
>
> Sorry I wasn't clear.  I meant to just remove the <script> tags, not
> all of the HTML ouput.  In your language "sanitize" it.
>
> > We should be able to sanitize Javascript from HTML - both in rendered
> > markdown and HTML output data. This, in turn, could allow script
> detection
> > and give an 'unsafe dynamic content, only allow if you trust...' message.
>
> Yep.
>

Ah, sorry I misunderstood.  I thought you were saying we were going to
remove HTML reprs entirely,
not scrub javascript from existing HTML reprs.  I still think we might want
to have a warn/allow mechanism,
rather than a strict 'no js' policy, but 90% of the work for those two is
actually the same,
so we can fight over that molehill when we get there :)


>
> Brian
>
> > The cost of what you are proposing is *extremely* high.
> >
> >>
> >>
> >> > This is a slight difference than displaying javascript with the
> >> > Javascript object that actually evaluate the string of code.
> >> > It is also dangerous in multi-user context, even if this javascript is
> >> > not runned at load time.
> >> >
> >> > I think that Json plugin are much better than current structure
> because
> >> > one of the first plugin you can write can evaluate javascript
> >> > code, so it actually does the same as Javascript object.
> >> > But, If you design a custom plugin that deal with a specific type of
> >> > json data, then you get the ability for this data to be used
> >> > at load time as the json repr is stored.
> >> >
> >> > And I do agree that we need to give users a way to still display JS.
> >> >
> >> > I still think we should **strongly** encourage them not to use
> >> > Javascript object because of it's inherent evaluation
> >> > which is not stored. It is nice for prototyping, but it does more harm
> >> > than anything for sharing.
> >> >
> >> > Finally I suppose it will be doable and a good thing to develop the
> >> > ability to plug those jsplugin to nbviewer.
> >>
> >> Yes, I agree.
> >>
> >> > --
> >> > Matthias
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > IPython-dev mailing list
> >> > IPython-dev@scipy.org
> >> > http://mail.scipy.org/mailman/listinfo/ipython-dev
> >>
> >>
> >>
> >> --
> >> Brian E. Granger
> >> Cal Poly State University, San Luis Obispo
> >> bgranger@calpoly.edu and ellisonbg@gmail.com
> >> _______________________________________________
> >> IPython-dev mailing list
> >> IPython-dev@scipy.org
> >> http://mail.scipy.org/mailman/listinfo/ipython-dev
> >
> >
> >
> > _______________________________________________
> > IPython-dev mailing list
> > IPython-dev@scipy.org
> > http://mail.scipy.org/mailman/listinfo/ipython-dev
> >
>
>
>
> --
> Brian E. Granger
> Cal Poly State University, San Luis Obispo
> bgranger@calpoly.edu and ellisonbg@gmail.com
> _______________________________________________
> IPython-dev mailing list
> IPython-dev@scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.scipy.org/pipermail/ipython-dev/attachments/20130109/1e7a005c/attachment-0001.html 


More information about the IPython-dev mailing list