[IPython-dev] is markdown broken in latest ipython?

MinRK benjaminrk@gmail....
Sat Jun 1 12:44:53 CDT 2013


On Sat, Jun 1, 2013 at 10:40 AM, Jacob Vanderplas <jakevdp@cs.washington.edu
> wrote:

> On Sat, Jun 1, 2013 at 9:59 AM, Min RK <benjaminrk@gmail.com> wrote:
>
>> The current plan is to continue to allow arbitrary execution, as long as
>> it is the result of explicit user action. That means scrubbing JavaScript
>> from markdown cells, and also preventing it from running on page load, but
>> no change in what is allowed in displayed JavaScript or HTML.
>>
>
> So, if I understand this correctly, this means that Javascript-enabled
> features will *not* be viewable on nbviewer or other static notebook views?
>

Static render (i.e. nbconvert) is actually a slightly separate question -
since nbviewer does not have execution permissions, there is little risk.
If it ever has authentication info, such as GitHub auth, then there can be
an issue again.  Note that we are not talking about actually stripping the
content from the *source*, only preventing its display.  That means that
the unsafe content still resides in the document, and nbconvert templates
can choose whether to sanitize or not at export time.  Currently, it does
nothing.

-MinRK


>    Jake
>
>
>
>>
>>
>> -MinRK
>>
>> On Jun 1, 2013, at 8:13, Jacob Vanderplas <jakevdp@cs.washington.edu>
>> wrote:
>>
>> On Mon, May 13, 2013 at 11:30 AM, Min RK <benjaminrk@gmail.com> wrote:
>>
>>>
>>> Do note that, as described in that issue, script tags in markdown cells
>>> will be completely disabled by IPython 1.0 (as opposed to master, where
>>> they are merely broken).
>>>
>>
>> Came into this a bit late, sorry.  Can someone briefly clarify what's
>> going to be permitted with regard to javascript in IPython 1.0?
>>
>> From poking around on the mailing list & roadmap, it's clear that
>> javascript within markdown cells is going to be deprecated, with
>> replacement functionality deferred to the 2.0 release in December.  But
>> what about javascript within the IPython.display.Javascript() or
>> IPython.display.HTML() functions?  If security is the driving concern, it
>> seems that you could be just as malicious using these as you could using
>> markdown cells.
>>
>> I guess my main question is: should I continue spending time on things
>> like Javascript animations [1], or will these become obsolete in July?
>>    Jake
>>
>> [1]
>> http://jakevdp.github.io/blog/2013/05/19/a-javascript-viewer-for-matplotlib-animations/
>>
>>
>>>
>>>
>>> Le lundi 13 mai 2013, Zoltán Vörös a écrit :
>>>
>>>>  Hi Min,
>>>>
>>>> Thanks for the info!
>>>>
>>>> Cheers,
>>>> Zoltán
>>>>
>>>> On 13/05/13 17:28, MinRK wrote:
>>>>
>>>> Bug is already open<https://github.com/ipython/ipython-components/issues/1>,
>>>> and fix is already in marked. Just waiting for a release before we update
>>>> the components.
>>>>
>>>>
>>>>  _______________________________________________
>>> IPython-dev mailing list
>>> IPython-dev@scipy.org
>>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>>>
>>>
>>> _______________________________________________
>>> IPython-dev mailing list
>>> IPython-dev@scipy.org
>>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>>>
>>>
>> _______________________________________________
>> IPython-dev mailing list
>> IPython-dev@scipy.org
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>>
>>
>> _______________________________________________
>> IPython-dev mailing list
>> IPython-dev@scipy.org
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>>
>>
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev@scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.scipy.org/pipermail/ipython-dev/attachments/20130601/1815dde0/attachment.html 


More information about the IPython-dev mailing list