[IPython-dev] Some Thoughts on Notebook Security

Jason Grout jason-sage@creativetrax....
Tue Dec 11 00:05:59 CST 2012

On 12/10/12 10:12 PM, Brian Granger wrote:
> * In CodeCell output, the Javascript repr is dynamically passed
> into eval.  This only happens when code is run, not when the notebook
> is loaded, so it is less critical, but still needs to be fixed.
> To fix this, we need to disable the Javascript representation of
> objects altogether.
> Will these two things not completely fix the security problems we
> currently have?

It appears that IPython.core.display.HTML() allows <script> tags in the 
html the user submits:

import IPython



More information about the IPython-dev mailing list