[IPython-dev] Some Thoughts on Notebook Security

Brian Granger ellisonbg at gmail.com
Tue Dec 11 01:11:47 EST 2012

Oh, yes forgot about that, we will have to clean that HTML as well.

On Mon, Dec 10, 2012 at 10:05 PM, Jason Grout
<jason-sage at creativetrax.com> wrote:
> On 12/10/12 10:12 PM, Brian Granger wrote:
>> * In CodeCell output, the Javascript repr is dynamically passed
>> into eval.  This only happens when code is run, not when the notebook
>> is loaded, so it is less critical, but still needs to be fixed.
>> To fix this, we need to disable the Javascript representation of
>> objects altogether.
>> Will these two things not completely fix the security problems we
>> currently have?
> It appears that IPython.core.display.HTML() allows <script> tags in the
> html the user submits:
> import IPython
> IPython.core.display.HTML('<script>alert("hi")</script>')
> Thanks,
> Jason
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev

Brian E. Granger
Cal Poly State University, San Luis Obispo
bgranger at calpoly.edu and ellisonbg at gmail.com

More information about the IPython-dev mailing list