[IPython-dev] toggle cell input - changed in dev version?
Brian Granger
ellisonbg at gmail.com
Mon Mar 17 13:50:14 EDT 2014
Sorry I missed that this was not for the python kernel. As Fernando
mentioned, just using the HTML/JS output and display protocol would
work fine.
I agree with Fernando that this part of our security approach is not
something we will make configurable. The reason is that <script> tags
in Markdown run on page load, before the user ever has a chance to
inspect what they are going to do. By that point, it is too late to
prevent someone from doing "rm -rf $HOME" or lifting all your ssh
keys, etc. That type of thing is still completely possible when a user
explicitly runs code in the notebook, but we want to prevent it upon
page load *always*.
I know we have not yet done a good job of justifying out decisions,
but we will in upcoming docs, blog posts, etc. We will get there...
Cheers,
Brian
On Mon, Mar 17, 2014 at 10:38 AM, Fernando Perez <fperez.net at gmail.com> wrote:
> Andrew, is it not easy/possible for you to simply write Haskell functions
> that return as a value, the necessary JS/HTML? That's all that %%html and
> %%js do.
>
> All we're forbidding is embedded <script> in Markdown, but it's totally OK
> for you to return arbitrarily rich and powerful JS from your own code.
>
> But by putting it in the return field of executable code, there's a clear
> separation of intent: markdown is the narrative, 'static' part of the
> notebook, while output cells contain the dynamic, executable consequences.
>
> We will likely never make that configurable: one of the key tenets of a
> robust security model is keeping it simple. The more knobs you add, the more
> you increase the chances of surprising attacks becoming possible. For
> example, making that sanitization configurable could mean that block of code
> could surreptitiously turn it off at runtime, and then load new dangerous
> markdown afterwards. I'm not saying that vector *is* possible right now (I
> haven't looked), simply that adding more ways for the security features to
> change their behavior simply increases the attack surface.
>
> Cheers,
>
> f
>
>
> On Mon, Mar 17, 2014 at 10:29 AM, Andrew Gibiansky
> <andrew.gibiansky at gmail.com> wrote:
>>
>> My 2-cents:
>>
>> While I understand the security issues, it's a major inconvenience in my
>> personal work... In addition, it's a pretty heavy burden on any non-Python
>> kernel implementors; IHaskell currently has absolutely no notion of magics
>> (though directives are similar, maybe) but certainly no notion of cell
>> magics (and none planned for the time being)... (I have a ton of things to
>> do before implementing that, and haven't seen much use for cell magics,
>> especially given that Haskell has QuasiQuotes which allow similar things).
>>
>> It's be really nice if there were some way to disable this security
>> feature.
>>
>> Do you think this might be possible somehow?
>>
>> -- Andrew
>>
>>
>>
>> On March 17, 2014 at 10:14:27 AM, Brian Granger (ellisonbg at gmail.com)
>> wrote:
>>
>> As of 2.0, Markdown cells no longer support script tags. You will need
>> to put this code into HTML/JavaScript output using %%html or
>> %%javascript. This is a security issue - we will have more details on
>> this as 2.0 is released.
>>
>> Cheers,
>>
>> Brian
>>
>> On Mon, Mar 17, 2014 at 7:01 AM, John Griffiths
>> <j.davidgriffiths at gmail.com> wrote:
>> >
>> > I've been making use of a little piece of javascript in a markdown cell
>> > that
>> > hides all code cells in the notebook;
>> >
>> > <script type="text/javascript">
>> > show=true;
>> > function toggle(){
>> > if (show){
>> > $('div.input').hide();
>> > }else{
>> > $('div.input').show();
>> > }
>> > show = !show
>> > }
>> > </script>
>> > <a href="javascript:toggle()" target="_self">toggle input</a>
>> >
>> > (e.g. see here
>> >
>> > http://python.6.x6.nabble.com/IPython-User-Hide-code-cells-in-the-notebook-td4997151.html
>> > )
>> >
>> >
>> > However, I recently installed the latest ipython dev version, and now
>> > this
>> > snippet doesn't seem to be working any more.
>> >
>> > Any obvious reasons for this?
>> >
>> > Ta,
>> >
>> > john
>> >
>> >
>> >
>> >
>> > --
>> >
>> > Mr. John Griffiths, MSc
>> >
>> > PhD Candidate
>> >
>> > Centre for Speech, Language, and the Brain
>> >
>> > Department of Experimental Psychology
>> >
>> > University of Cambridge, UK
>> >
>> >
>> > _______________________________________________
>> > IPython-dev mailing list
>> > IPython-dev at scipy.org
>> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>> >
>>
>>
>>
>> --
>> Brian E. Granger
>> Cal Poly State University, San Luis Obispo
>> bgranger at calpoly.edu and ellisonbg at gmail.com
>> _______________________________________________
>> IPython-dev mailing list
>> IPython-dev at scipy.org
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>>
>>
>> _______________________________________________
>> IPython-dev mailing list
>> IPython-dev at scipy.org
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>>
>
>
>
> --
> Fernando Perez (@fperez_org; http://fperez.org)
> fperez.net-at-gmail: mailing lists only (I ignore this when swamped!)
> fernando.perez-at-berkeley: contact me here for any direct mail
--
Brian E. Granger
Cal Poly State University, San Luis Obispo
bgranger at calpoly.edu and ellisonbg at gmail.com
More information about the IPython-dev
mailing list