<p>I'd totally misunderstood the problem. That's all pretty scary. Thanks for putting me straight.</p>
<div class="gmail_quote">On Sep 9, 2012 10:57 AM, "Matthias BUSSONNIER" <<a href="mailto:bussonniermatthias@gmail.com">bussonniermatthias@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Le 8 sept. 2012 à 23:09, Carl Smith a écrit :<br>
<br>
> I'm not sure, but I don't think you can do cross-scripting in Chrome. Maybe other browsers will make this concern mute too. I'm not certain, but that's what I thought. I'm on my phone so I can't do much to look into it right now.<br>
<br>
Well, If I understand XSS it is pretty trivial to do with python notebook as we allow to embed script in .ipynb files.<br>
They might not be executable but a simple notebook with in a markdown cell :<br>
<br>
<a href='onclick=function(){alert('hello')}'> click me </a> should work.<br>
moreover you can embed iframes, ...Etc.<br>
<br>
So could forge a malicious ipynb file and ask you to view it through <a href="http://nbviewer.ipython.org" target="_blank">nbviewer.ipython.org</a>.<br>
<br>
assuming you are logged to <a href="http://nbviewer.ipython.org" target="_blank">nbviewer.ipython.org</a>, the scripts in this notebook has all your rights.<br>
<br>
For me, this is XSS.<br>
<br>
I won't imagine what people would try to do if you know that JS can send code to execute on the server side !<br>
--<br>
Matthias<br>
<br>
<br>
><br>
> _______________________________________________<br>
> IPython-dev mailing list<br>
> <a href="mailto:IPython-dev@scipy.org">IPython-dev@scipy.org</a><br>
> <a href="http://mail.scipy.org/mailman/listinfo/ipython-dev" target="_blank">http://mail.scipy.org/mailman/listinfo/ipython-dev</a><br>
<br>
_______________________________________________<br>
IPython-dev mailing list<br>
<a href="mailto:IPython-dev@scipy.org">IPython-dev@scipy.org</a><br>
<a href="http://mail.scipy.org/mailman/listinfo/ipython-dev" target="_blank">http://mail.scipy.org/mailman/listinfo/ipython-dev</a><br>
</blockquote></div>