[IPython-dev] toggle cell input - changed in dev version?

Andrew Gibiansky andrew.gibiansky at gmail.com
Mon Mar 17 13:56:10 EDT 2014 

The original question was not for a Python kernel, I was just chiming in as this was something I found fairly bothersome :) sorry for hijacking the thread.

I guess the security aspect makes sense; you wouldn't want scripts in the page to be able to configure that.

My personal frustration is more or less what Fernando was pointing out: markdown is narrative and 'static', while code cells are dynamic. But in many contexts that's not what you want! You want rich narrative with graphics and displays and maybe other things that Markdown doesn't support but arbitrary script tags could. I guess you can always just hide those cells in the nbviewer output, but especially since we can't hide code cells (which is what this thread was originally about) it feels like a huge hack.

Anyway, sorry for derailing the thread a bit, not my intent :) I have a few questions but I'll follow up elsewhere.

-- Andrew



On March 17, 2014 at 10:50:21 AM, Brian Granger (ellisonbg at gmail.com) wrote:

Sorry I missed that this was not for the python kernel. As Fernando 
mentioned, just using the HTML/JS output and display protocol would 
work fine. 

I agree with Fernando that this part of our security approach is not 
something we will make configurable. The reason is that <script> tags 
in Markdown run on page load, before the user ever has a chance to 
inspect what they are going to do. By that point, it is too late to 
prevent someone from doing "rm -rf $HOME" or lifting all your ssh 
keys, etc. That type of thing is still completely possible when a user 
explicitly runs code in the notebook, but we want to prevent it upon 
page load *always*. 

I know we have not yet done a good job of justifying out decisions, 
but we will in upcoming docs, blog posts, etc. We will get there... 

Cheers, 

Brian 


On Mon, Mar 17, 2014 at 10:38 AM, Fernando Perez <fperez.net at gmail.com> wrote: 
> Andrew, is it not easy/possible for you to simply write Haskell functions 
> that return as a value, the necessary JS/HTML? That's all that %%html and 
> %%js do. 
> 
> All we're forbidding is embedded <script> in Markdown, but it's totally OK 
> for you to return arbitrarily rich and powerful JS from your own code. 
> 
> But by putting it in the return field of executable code, there's a clear 
> separation of intent: markdown is the narrative, 'static' part of the 
> notebook, while output cells contain the dynamic, executable consequences. 
> 
> We will likely never make that configurable: one of the key tenets of a 
> robust security model is keeping it simple. The more knobs you add, the more 
> you increase the chances of surprising attacks becoming possible. For 
> example, making that sanitization configurable could mean that block of code 
> could surreptitiously turn it off at runtime, and then load new dangerous 
> markdown afterwards. I'm not saying that vector *is* possible right now (I 
> haven't looked), simply that adding more ways for the security features to 
> change their behavior simply increases the attack surface. 
> 
> Cheers, 
> 
> f 
> 
> 
> On Mon, Mar 17, 2014 at 10:29 AM, Andrew Gibiansky 
> <andrew.gibiansky at gmail.com> wrote: 
>> 
>> My 2-cents: 
>> 
>> While I understand the security issues, it's a major inconvenience in my 
>> personal work... In addition, it's a pretty heavy burden on any non-Python 
>> kernel implementors; IHaskell currently has absolutely no notion of magics 
>> (though directives are similar, maybe) but certainly no notion of cell 
>> magics (and none planned for the time being)... (I have a ton of things to 
>> do before implementing that, and haven't seen much use for cell magics, 
>> especially given that Haskell has QuasiQuotes which allow similar things). 
>> 
>> It's be really nice if there were some way to disable this security 
>> feature. 
>> 
>> Do you think this might be possible somehow? 
>> 
>> -- Andrew 
>> 
>> 
>> 
>> On March 17, 2014 at 10:14:27 AM, Brian Granger (ellisonbg at gmail.com) 
>> wrote: 
>> 
>> As of 2.0, Markdown cells no longer support script tags. You will need 
>> to put this code into HTML/JavaScript output using %%html or 
>> %%javascript. This is a security issue - we will have more details on 
>> this as 2.0 is released. 
>> 
>> Cheers, 
>> 
>> Brian 
>> 
>> On Mon, Mar 17, 2014 at 7:01 AM, John Griffiths 
>> <j.davidgriffiths at gmail.com> wrote: 
>> > 
>> > I've been making use of a little piece of javascript in a markdown cell 
>> > that 
>> > hides all code cells in the notebook; 
>> > 
>> > <script type="text/javascript"> 
>> > show=true; 
>> > function toggle(){ 
>> > if (show){ 
>> > $('div.input').hide(); 
>> > }else{ 
>> > $('div.input').show(); 
>> > } 
>> > show = !show 
>> > } 
>> > </script> 
>> > <a href="javascript:toggle()" target="_self">toggle input</a> 
>> > 
>> > (e.g. see here 
>> > 
>> > http://python.6.x6.nabble.com/IPython-User-Hide-code-cells-in-the-notebook-td4997151.html 
>> > ) 
>> > 
>> > 
>> > However, I recently installed the latest ipython dev version, and now 
>> > this 
>> > snippet doesn't seem to be working any more. 
>> > 
>> > Any obvious reasons for this? 
>> > 
>> > Ta, 
>> > 
>> > john 
>> > 
>> > 
>> > 
>> > 
>> > -- 
>> > 
>> > Mr. John Griffiths, MSc 
>> > 
>> > PhD Candidate 
>> > 
>> > Centre for Speech, Language, and the Brain 
>> > 
>> > Department of Experimental Psychology 
>> > 
>> > University of Cambridge, UK 
>> > 
>> > 
>> > _______________________________________________ 
>> > IPython-dev mailing list 
>> > IPython-dev at scipy.org 
>> > http://mail.scipy.org/mailman/listinfo/ipython-dev 
>> > 
>> 
>> 
>> 
>> -- 
>> Brian E. Granger 
>> Cal Poly State University, San Luis Obispo 
>> bgranger at calpoly.edu and ellisonbg at gmail.com 
>> _______________________________________________ 
>> IPython-dev mailing list 
>> IPython-dev at scipy.org 
>> http://mail.scipy.org/mailman/listinfo/ipython-dev 
>> 
>> 
>> _______________________________________________ 
>> IPython-dev mailing list 
>> IPython-dev at scipy.org 
>> http://mail.scipy.org/mailman/listinfo/ipython-dev 
>> 
> 
> 
> 
> -- 
> Fernando Perez (@fperez_org; http://fperez.org) 
> fperez.net-at-gmail: mailing lists only (I ignore this when swamped!) 
> fernando.perez-at-berkeley: contact me here for any direct mail 



-- 
Brian E. Granger 
Cal Poly State University, San Luis Obispo 
bgranger at calpoly.edu and ellisonbg at gmail.com 
_______________________________________________ 
IPython-dev mailing list 
IPython-dev at scipy.org 
http://mail.scipy.org/mailman/listinfo/ipython-dev 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140317/2ced9b68/attachment.html>

More information about the IPython-dev mailing list