I do see the same problem up to and including notebook 6.4.4. Jonathan
On Tuesday, January 11, 2022 at 12:51:11 PM UTC-6 zachs...@gmail.com wrote: > Hi Jonathan, > > Thank you for opening your question here! > > First, what version of notebook are you running? I think this has been > addressed in v6.4.4 (see this changelog > <https://github.com/jupyter/notebook/releases/tag/v6.4.4>). Let me know > if that's not true. > > Apparently in response to https://nvd.nist.gov/vuln/detail/CVE-2021-32798, >> the jupyter notebook maintainers have chosen to implement markdown >> sanitization >> > > To be clear, we didn't "choose" to implement markdown sanitization in > response to this CVE. Jupyter Notebook was *already* doing markdown > sanitization, but it was using a deprecated library with a critical > security vulnerability. As a result, we were forced to replace that > dependency; in doing so, we didn't properly configure the new sanitizer to > allow some basic styling. As I mentioned, I hope this was fixed in v6.4.4, > but let us know if not and we can start the conversation in a thread. > > TL;DR > > As an aside, security vulnerabilities are tricky. In this particular case, > we were required to act fast, while coordinating effort with multiple > people from different organizations (the challenges of open-source). You > can read more about it in this blog post. > <https://blog.jupyter.org/cve-2021-32797-and-cve-2021-32798-remote-code-execution-in-jupyterlab-and-jupyter-notebook-a70fae0d3239>We > > did our best with the constraints we had—and we learned some things for > next time. > > It's also important to keep in mind that there is a relatively small > number of people working on core Jupyter components, while the project > generates a large volume of work for everyone. As you know from the future > of the notebook discussions, Notebook maintainers are spread pretty thin > these days. This issue specifically was one of the main factors that > prompted the wider discussion about Notebook's future. > > Thank you again, Jonathan. I hope you're able to get your notebooks > working again with a later release of Notebook. > > Best, > > Zach Sailer, Ph.D. > Apple | Sr. Software Engineer > Project Jupyter | Core Developer > > > > On Tue, Jan 11, 2022 at 9:07 AM Jonathan Gutow <gu...@uwosh.edu> wrote: > >> Apparently in response to https://nvd.nist.gov/vuln/detail/CVE-2021-32798, >> the jupyter notebook maintainers have chosen to implement markdown >> sanitization in all notebooks >=6.4.1 that completely strips all html >> styling. This breaks most of my educational notebooks, which use styling >> beyond what markdown is capable of. >> >> I would suggest this should be discussed and think that one of the >> following approaches might be better: >> >> 1. Create a blacklist of the html elements (eg. <form>, <button>, >> <script>) that will be stripped. Leave everything else. Make it very >> clear >> that they will be stripped. They should probably be deleted from the >> markdown code. >> 2. Create a whitelist of things allowed (eg. allow style, but not >> onclick, onload, etc..). This is probably harder, unless there is truly >> only a limited set that is safe. This may require limiting to style >> features, like margins, colors, backgrounds, and element sizing/placement. >> 3. Behave more like code cells. Accept anything, but do not process >> them unless the user explicitly trusts the notebook. >> >> Can somebody explain why it is necessary to completely remove the >> capability to use html styling in markdown cells? It seems to me there >> ought to be an alternative. >> >> Regards, >> Jonathan >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Project Jupyter" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jupyter+u...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jupyter/aa4a69f7-c4ce-46d9-ac43-246e137128d0n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jupyter/aa4a69f7-c4ce-46d9-ac43-246e137128d0n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/710f5292-33c8-40f8-b3d3-30729e984107n%40googlegroups.com.
