[IPython-dev] IPEP 3: Multiuser support in the notebook
Matthias BUSSONNIER
bussonniermatthias at gmail.com
Sun Sep 9 05:57:10 EDT 2012
Le 8 sept. 2012 à 23:09, Carl Smith a écrit :
> I'm not sure, but I don't think you can do cross-scripting in Chrome. Maybe other browsers will make this concern mute too. I'm not certain, but that's what I thought. I'm on my phone so I can't do much to look into it right now.
Well, If I understand XSS it is pretty trivial to do with python notebook as we allow to embed script in .ipynb files.
They might not be executable but a simple notebook with in a markdown cell :
<a href='onclick=function(){alert('hello')}'> click me </a> should work.
moreover you can embed iframes, ...Etc.
So could forge a malicious ipynb file and ask you to view it through nbviewer.ipython.org.
assuming you are logged to nbviewer.ipython.org, the scripts in this notebook has all your rights.
For me, this is XSS.
I won't imagine what people would try to do if you know that JS can send code to execute on the server side !
--
Matthias
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
More information about the IPython-dev
mailing list