[IPython-dev] Some Thoughts on Notebook Security
Brian Granger
ellisonbg at gmail.com
Tue Dec 11 01:11:47 EST 2012
Oh, yes forgot about that, we will have to clean that HTML as well.
On Mon, Dec 10, 2012 at 10:05 PM, Jason Grout
<jason-sage at creativetrax.com> wrote:
> On 12/10/12 10:12 PM, Brian Granger wrote:
>> * In CodeCell output, the Javascript repr is dynamically passed
>> into eval. This only happens when code is run, not when the notebook
>> is loaded, so it is less critical, but still needs to be fixed.
>>
>> To fix this, we need to disable the Javascript representation of
>> objects altogether.
>>
>> Will these two things not completely fix the security problems we
>> currently have?
>
> It appears that IPython.core.display.HTML() allows <script> tags in the
> html the user submits:
>
> import IPython
> IPython.core.display.HTML('<script>alert("hi")</script>')
>
> Thanks,
>
> Jason
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
--
Brian E. Granger
Cal Poly State University, San Luis Obispo
bgranger at calpoly.edu and ellisonbg at gmail.com
More information about the IPython-dev
mailing list