[IPython-dev] Some Thoughts on Notebook Security
Jason Grout
jason-sage at creativetrax.com
Tue Dec 11 01:05:59 EST 2012
On 12/10/12 10:12 PM, Brian Granger wrote:
> * In CodeCell output, the Javascript repr is dynamically passed
> into eval. This only happens when code is run, not when the notebook
> is loaded, so it is less critical, but still needs to be fixed.
>
> To fix this, we need to disable the Javascript representation of
> objects altogether.
>
> Will these two things not completely fix the security problems we
> currently have?
It appears that IPython.core.display.HTML() allows <script> tags in the
html the user submits:
import IPython
IPython.core.display.HTML('<script>alert("hi")</script>')
Thanks,
Jason
More information about the IPython-dev
mailing list