[IPython-dev] Notebook CodeCell for editing and executing javascript

Matthias BUSSONNIER bussonniermatthias at gmail.com
Tue Dec 18 15:15:34 EST 2012 

Le 18 déc. 2012 à 19:57, Nissim Karpenstein a écrit :

> Can you please elaborate further on the potential security risks.
> I thought that code cells are not executed when opening an ipynb file.  It would have to be a little different than python CodeCells because the output of javascript cells could not really be stored in the ipynb, but we could still require each codecell to be manually executed by the user before being eval'd in the browser.

No code cell are no executed, put if the output contain a <script> tag...

To protect that, we'll probably prevent JS in output by stripping it. 

Obviously a Js cell would be able to go around that by manipulating the notebook structure itself. 
and where a server side kernel can "easily" be isolated, it is much harder to do on browser side.

In a context where user might be logged in to a service that provide an IPython notebook, and other service, 
this is dangerous.

I'm not an expert on Javscript and security, but we warned not so long ago someone who was using IPython 
notebook that they had a security breach after adding a tiny feature that seemed irrelevant. So I'm a little cautious 
when it deals with javascript in browser now. 

This is the reason why we are moving toward json plugin. The server owner could chose that some services 
are available to user. You could of course build a service that allows to execute custom Javascipt.

I totally agree that user should be responsible for what thy execute, but if we build that we totally need parental control 
for that. 

I still think that having the ability to execute js in notebook is something really worth considering at least as an advance feature 
or a plugin. 

-- 
Matthias


> Have you seen jsFiddle?  My suggestion is sort of a mashup of iPython notebook and jsFiddle.
> 
> 
> 
> 
> 
> 
> 
> On Tue, Dec 18, 2012 at 1:40 PM, Matthias BUSSONNIER <bussonniermatthias at gmail.com> wrote:
> Hi again,
> 
> I'll moderate what I said an hour ago,
> I might see one way to maybe do something close to what you wish,
> It might not be strait forward, and I will thing about it.
> It might be incorporated in the JS widget we planed on implementing, I'll discusses of that with Brian
> to better now what his plans are.
> 
> In any way it will probably change the notebook format introducing incompatibilities with older one, so
> we will think about it a lot before releasing it.
> 
> We would still be happy to see what a prototype does, maybe you'll find how to do that in a way that
> prevent javascript injection at load time when exchanging ipynb files.
> --
> Matthias
> 
> Le 18 déc. 2012 à 14:02, Nissim Karpenstein a écrit :
> 
> > Hi,
> >
> > I'm new here and I wanted to run this by the group before I start working on it.  I'm interested in building a facility to use the notebook to edit and execute javascript code for presenting data from the python kernel.  I know there is a magic function and there is some sort of way to have python code render js in <script> tags, and you can put javascript in the Markdown cells, but I was envisioning something more like a standard codecell, but execution is handled by the browser rather than the kernel.
> >
> > Let's say you've loaded some data and run some computations in your python kernel and now you want to display results in the notebook using some javascript library like d3, datatables or processing.  If you want to do this by writing the javascript code in a CodeCell and evaluating that code in the browser you need a couple of things:
> > 1) ability to change a code cell language to javascipt in the notebook frontend.  I saw that there is a language field in the notebook file format for CodeCell but it is always = python.
> >
> > 2) facility to have the browser javascript engine evaluate the contents of the javascript CodeCell when it is executed by the user
> >
> > 3) http REST api that will return json representations of Python objects that exist in the kernel.  (this may already exist, I don't really understand the kernel communication protocol yet).
> >
> > There are probably some more things like the ability to add CSS, HTML, js and image resources to the server that it can then serve back to the client.  I see that there's been a lot of discussion related to this in the plugins thread, but maybe there can also be a method for accessing resources from the network and then telling the notebook server to serve them from some path.
> > I'd like to implement this and I had a couple of questions:
> >
> > 1) Does this fit in with your ideas for the notebook or is editing non python code in CodeCell outside of the vision?
> >
> > 2) Should there be another Dropdown for the language of the CodeCell or should there be a javascript option added to the existing select box.
> >
> > Thanks
> >
> >    -Nissim
> >
> > _______________________________________________
> > IPython-dev mailing list
> > IPython-dev at scipy.org
> > http://mail.scipy.org/mailman/listinfo/ipython-dev
> 
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
> 
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev

More information about the IPython-dev mailing list