<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="+1">Hi all,<br>
<br>
I don't want to be seen as impatient, or anything like that, but I
feel that this signature thing is somehow broken, so I would like
to follow up on Damián's and Matthias' comments. <br>
<br>
No matter what I do, if I try to use an old notebook (old meaning
created last Friday:) its content is not trusted. I have run <br>
<br>
ipython trust mynotebook.ipynb<br>
<br>
and I can see the signature at the top of the file. However,
latex/svg are still not displayed. According to the PR that Damián
referred to, only javascript and HTML items should be affected by
this change, although, I understand that SVG might also be
exploited for some injection attack.<br>
<br>
All this is not a major issue for me at the moment, I would just
like to make sure that the developers know about it.<br>
<br>
Chees,<br>
Zoltán<br>
<br>
</font>
<div class="moz-cite-prefix">On 03/02/14 13:15, Matthias Bussonnier
wrote:<br>
</div>
<blockquote
cite="mid:CANJQusUc99=y_XmZH8uK+nZtg2EJoMmHp+-bRnbXrVZ2KGdgAg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>Hi zoltan, <br>
<br>
</div>
we havent yet posted info on the ML about that and
will do soon. <br>
<br>
<br>
</div>
In short, we sign the notebook when you save it, and if
the signaure don't mach we don't render potentially
dangerous ouput.<br>
</div>
We will do the same in markdown soon if it contains script
tag.<br>
<br>
</div>
WhiteListing latex might be an oversight.<br>
<br>
</div>
If you rerun the all notebook and save, the ouput should be
tusted, a least for you, more info soon. <br>
<br>
-- <br>
</div>
Matthias<br>
<div>
<div>
<div>
<div><br>
<br>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Feb 3, 2014 at 12:15 PM, Zoltán
Vörös <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:zvoros@gmail.com" target="_blank">zvoros@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font size="+1">Hi
all,<br>
<br>
When a notebook contains sympy-generated latex code, the
latex content is not rendered on load, instead an "</font>Untrusted
text/latex output ignored." message<font size="+1"> is
displayed. On the other hand, latex in a markdown cell
is trusted, and rendered properly. Is there a way to
instruct the notebook to "trust" the latex code even in
the output field of a code cell? Are there any security
issues involved here?<br>
<br>
Cheers,<br>
Zoltán<br>
</font> </div>
<br>
_______________________________________________<br>
IPython-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:IPython-dev@scipy.org">IPython-dev@scipy.org</a><br>
<a moz-do-not-send="true"
href="http://mail.scipy.org/mailman/listinfo/ipython-dev"
target="_blank">http://mail.scipy.org/mailman/listinfo/ipython-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
IPython-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:IPython-dev@scipy.org">IPython-dev@scipy.org</a>
<a class="moz-txt-link-freetext" href="http://mail.scipy.org/mailman/listinfo/ipython-dev">http://mail.scipy.org/mailman/listinfo/ipython-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>