[IPython-dev] D3js and IPython
MinRK
benjaminrk at gmail.com
Wed Jan 9 20:34:30 EST 2013
On Wed, Jan 9, 2013 at 4:49 PM, Brian Granger <ellisonbg at gmail.com> wrote:
> > I really can't imagine that it will come to this - you are talking about
> > disabling pandas table printing,
> > and simple rich text reprs. That doesn't seem tenable. It's also
> disabling
> > sized images, since our message spec so far has foolishly excluded shape
> > information for images, etc, or the ability to display any kind of
> > formatting (e.g. two images side-by-side).
>
> Sorry I wasn't clear. I meant to just remove the <script> tags, not
> all of the HTML ouput. In your language "sanitize" it.
>
> > We should be able to sanitize Javascript from HTML - both in rendered
> > markdown and HTML output data. This, in turn, could allow script
> detection
> > and give an 'unsafe dynamic content, only allow if you trust...' message.
>
> Yep.
>
Ah, sorry I misunderstood. I thought you were saying we were going to
remove HTML reprs entirely,
not scrub javascript from existing HTML reprs. I still think we might want
to have a warn/allow mechanism,
rather than a strict 'no js' policy, but 90% of the work for those two is
actually the same,
so we can fight over that molehill when we get there :)
>
> Brian
>
> > The cost of what you are proposing is *extremely* high.
> >
> >>
> >>
> >> > This is a slight difference than displaying javascript with the
> >> > Javascript object that actually evaluate the string of code.
> >> > It is also dangerous in multi-user context, even if this javascript is
> >> > not runned at load time.
> >> >
> >> > I think that Json plugin are much better than current structure
> because
> >> > one of the first plugin you can write can evaluate javascript
> >> > code, so it actually does the same as Javascript object.
> >> > But, If you design a custom plugin that deal with a specific type of
> >> > json data, then you get the ability for this data to be used
> >> > at load time as the json repr is stored.
> >> >
> >> > And I do agree that we need to give users a way to still display JS.
> >> >
> >> > I still think we should **strongly** encourage them not to use
> >> > Javascript object because of it's inherent evaluation
> >> > which is not stored. It is nice for prototyping, but it does more harm
> >> > than anything for sharing.
> >> >
> >> > Finally I suppose it will be doable and a good thing to develop the
> >> > ability to plug those jsplugin to nbviewer.
> >>
> >> Yes, I agree.
> >>
> >> > --
> >> > Matthias
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > IPython-dev mailing list
> >> > IPython-dev at scipy.org
> >> > http://mail.scipy.org/mailman/listinfo/ipython-dev
> >>
> >>
> >>
> >> --
> >> Brian E. Granger
> >> Cal Poly State University, San Luis Obispo
> >> bgranger at calpoly.edu and ellisonbg at gmail.com
> >> _______________________________________________
> >> IPython-dev mailing list
> >> IPython-dev at scipy.org
> >> http://mail.scipy.org/mailman/listinfo/ipython-dev
> >
> >
> >
> > _______________________________________________
> > IPython-dev mailing list
> > IPython-dev at scipy.org
> > http://mail.scipy.org/mailman/listinfo/ipython-dev
> >
>
>
>
> --
> Brian E. Granger
> Cal Poly State University, San Luis Obispo
> bgranger at calpoly.edu and ellisonbg at gmail.com
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20130109/1e7a005c/attachment.html>
More information about the IPython-dev
mailing list