[IPython-dev] toggle cell input - changed in dev version?
Fernando Perez
fperez.net at gmail.com
Mon Mar 17 13:38:02 EDT 2014
Andrew, is it not easy/possible for you to simply write Haskell functions
that return as a value, the necessary JS/HTML? That's all that %%html and
%%js do.
All we're forbidding is embedded <script> in Markdown, but it's totally OK
for you to return arbitrarily rich and powerful JS from your own code.
But by putting it in the return field of executable code, there's a clear
separation of intent: markdown is the narrative, 'static' part of the
notebook, while output cells contain the dynamic, executable consequences.
We will likely never make that configurable: one of the key tenets of a
robust security model is keeping it simple. The more knobs you add, the
more you increase the chances of surprising attacks becoming possible. For
example, making that sanitization configurable could mean that block of
code could surreptitiously turn it off at runtime, and then load new
dangerous markdown afterwards. I'm not saying that vector *is* possible
right now (I haven't looked), simply that adding more ways for the security
features to change their behavior simply increases the attack surface.
Cheers,
f
On Mon, Mar 17, 2014 at 10:29 AM, Andrew Gibiansky <
andrew.gibiansky at gmail.com> wrote:
> My 2-cents:
>
> While I understand the security issues, it's a *major* inconvenience in
> my personal work... In addition, it's a pretty heavy burden on any
> non-Python kernel implementors; IHaskell currently has absolutely no notion
> of magics (though directives are similar, maybe) but certainly no notion of
> cell magics (and none planned for the time being)... (I have a ton of
> things to do before implementing that, and haven't seen much use for cell
> magics, especially given that Haskell has QuasiQuotes which allow similar
> things).
>
> It's be really nice if there were some way to disable this security
> feature.
>
> Do you think this might be possible somehow?
>
> -- Andrew
>
>
>
> On March 17, 2014 at 10:14:27 AM, Brian Granger (ellisonbg at gmail.com)
> wrote:
>
> As of 2.0, Markdown cells no longer support script tags. You will need
> to put this code into HTML/JavaScript output using %%html or
> %%javascript. This is a security issue - we will have more details on
> this as 2.0 is released.
>
> Cheers,
>
> Brian
>
> On Mon, Mar 17, 2014 at 7:01 AM, John Griffiths
> <j.davidgriffiths at gmail.com> wrote:
> >
> > I've been making use of a little piece of javascript in a markdown cell
> that
> > hides all code cells in the notebook;
> >
> > <script type="text/javascript">
> > show=true;
> > function toggle(){
> > if (show){
> > $('div.input').hide();
> > }else{
> > $('div.input').show();
> > }
> > show = !show
> > }
> > </script>
> > <a href="javascript:toggle()" target="_self">toggle input</a>
> >
> > (e.g. see here
> >
> http://python.6.x6.nabble.com/IPython-User-Hide-code-cells-in-the-notebook-td4997151.html
> > )
> >
> >
> > However, I recently installed the latest ipython dev version, and now
> this
> > snippet doesn't seem to be working any more.
> >
> > Any obvious reasons for this?
> >
> > Ta,
> >
> > john
> >
> >
> >
> >
> > --
> >
> > Mr. John Griffiths, MSc
> >
> > PhD Candidate
> >
> > Centre for Speech, Language, and the Brain
> >
> > Department of Experimental Psychology
> >
> > University of Cambridge, UK
> >
> >
> > _______________________________________________
> > IPython-dev mailing list
> > IPython-dev at scipy.org
> > http://mail.scipy.org/mailman/listinfo/ipython-dev
> >
>
>
>
> --
> Brian E. Granger
> Cal Poly State University, San Luis Obispo
> bgranger at calpoly.edu and ellisonbg at gmail.com
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
>
--
Fernando Perez (@fperez_org; http://fperez.org)
fperez.net-at-gmail: mailing lists only (I ignore this when swamped!)
fernando.perez-at-berkeley: contact me here for any direct mail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140317/d701ade2/attachment.html>
More information about the IPython-dev
mailing list