[IPython-dev] Scipy central & IPython notebook.

Matthias BUSSONNIER bussonniermatthias at gmail.com
Mon Sep 24 17:20:34 EDT 2012


Le 24 sept. 2012 à 23:11, Brian Granger a écrit :

> On Mon, Sep 24, 2012 at 12:31 PM, Jason Grout
> <jason-sage at creativetrax.com> wrote:
>> On 9/24/12 2:19 PM, Brian Granger wrote:
>>>> Certainly not as is !
>>>>> Nbviewer embed remote javascript which would be high security risk for any website
>>>>> or user that **trust** ipython.org
>>> I am beginning to think we should remove <script> tags from markdown
>>> cells because of this.
>>> 
>> 
>> Don't serve user-generated content from ipython.org.  Serve
>> user-generated content from something like pylab-central.org or
>> something.  Some time ago, someone (William Stein maybe?) forwarded to
>> me a talk from someone at google which said something to the effect that
>> taking care of all the vulnerabilities is *hard*, and google finally
>> just decided to serve any untrusted content from a different domain.
>> (yeah, I know---that chain of hearsay is not extremely inspiring...).
>> I'm CCing William in hopes that maybe he was the one that forwarded the
>> story and can find it (I've looked but can't find it).
> 
> For us it is not as simple as using a different domain because of the
> way we load and run javascript code.  In short we:
> 
> * Get the JS code embedded in a string inside a JSON message.
> * We unpack it and then eval it in the context of the cells output area.

For notebook, yes, not for nbviewer.
Displayed js is not evaluated in nbviewer, only script tags. 

Even displayed js is not evaluated when loading notebooks. 
-- 
Matthias


More information about the IPython-dev mailing list