On 10/6/12 1:17 PM, Volker Braun wrote:
The whitelist is lxml.html.defs.tags, see
http://lxml.de/api/lxml.html.defs-module.html
Cleaning CSS should probably be considered a separate problem,
especially since Microsoft decided in their infinite wisdom to
allow embedded javascript in CSS files (he
Since we just got another report of #11391, I would like to propose
again to add GNU m4 as standard package. The only possible argument
against it would be that it makes the Sage source about 1MB larger...
On 2012-06-19 14:34, Jeroen Demeyer wrote:
> How do you guys feel about adding a GNU M4 pac
Only the html() output is run through lxml, not the whole worksheet. Indeed
we do want to allow the Sage server to put javascript into the notebook. So
to clarify: Only html() output injected by the user into the notebook is
sanitized and stripped of styles.
On Saturday, October 6, 2012 7:24:
Thanks, Andrea. I want to run some of textbook-worksheets through this,
especially since they have been mangled by the lxml module once already.
;-)
Rob
On Saturday, October 6, 2012 1:29:01 PM UTC-7, Andrea Lazzarotto wrote:
>
>
>
> 2012/10/6 Rob Beezer >
>
>> Has anybody else been successful
2012/10/6 Rob Beezer
> Has anybody else been successful testing these changes?
No. Partially because I got those errors too and partially because I'm
waiting to be authorized by Jason to intentionally try to inject some proof
of concept XSS in the public worksheets.
--
*Andrea Lazzarotto* - h
On Thursday, October 4, 2012 2:50:25 PM UTC-7, jason wrote:
>
> to demo.sagenb.org as a test.
>
I've been regularly getting
503 Service Unavailable No server is available to handle this request.
back from demo.sagenb.org the past couple of days. Has anybody else been
successful testing th
2012/10/6 Volker Braun
> But we use none of that since Jason's patch explicitly removes all style
> tags.
What about style attributes?
--
*Andrea Lazzarotto* - http://andrealazzarotto.com*
*
--
You received this message because you are subscribed to the Google Groups
"sage-devel" group.
To
The whitelist is lxml.html.defs.tags, see
http://lxml.de/api/lxml.html.defs-module.html
Cleaning CSS should probably be considered a separate problem, especially
since Microsoft decided in their infinite wisdom to allow embedded
javascript in CSS files (hence the _css_javascript_re). But we use
On Sat, Oct 6, 2012 at 8:19 AM, Volker Braun wrote:
> Before you even get to the question of black/whitelisting you have to deal
> with malformed documents. Are your rules (black or white) going to apply to
> subtly broken tags? I think lxml does the only sane thing here: Parse the
> document into
Before you even get to the question of black/whitelisting you have to deal
with malformed documents. Are your rules (black or white) going to apply to
subtly broken tags? I think lxml does the only sane thing here: Parse the
document into a valid xml document, apply rules, and then write everyth
2012/10/6 William Stein
> I wonder if there is a way to put malware into a mathjax script tag?
>
Probably yes.
I ask again: Jason, can I try to hack?
Thank you.
--
*Andrea Lazzarotto* - http://andrealazzarotto.com*
*
--
You received this message because you are subscribed to the Google Gro
On Sat, Oct 6, 2012 at 6:06 AM, William Stein wrote:
> On Thu, Oct 4, 2012 at 2:50 PM, Jason Grout
> wrote:
>> (apologies for possible multiple posts--I've sent this twice to gmane and it
>> hasn't appeared)
>>
>> I've implemented some sanitizing of public worksheets [1] and applied it to
>> dem
On Thu, Oct 4, 2012 at 2:50 PM, Jason Grout wrote:
> (apologies for possible multiple posts--I've sent this twice to gmane and it
> hasn't appeared)
>
> I've implemented some sanitizing of public worksheets [1] and applied it to
> demo.sagenb.org as a test. The concerns from before were that java
2012/10/5 Jeroen Demeyer
> You need to apply the patch from
> http://trac.sagemath.org/sage_trac/ticket/13515
>
> (or use sage-5.4.rc0)
>
Thank you very much!
--
*Andrea Lazzarotto* - http://andrealazzarotto.com*
*
--
You received this message because you are subscribed to the Google Groups
On 2012-10-05 23:59, Dan Drake wrote:
> Someone (us? Mercurial people?) need to get an encoding line into those
> source files.
I think it's quite a challenge to get an encoding in the file *before*
the #! line.
--
You received this message because you are subscribed to the Google Groups
"sage-d
15 matches
Mail list logo
