Re: [sage-devel] Re: public worksheets

2012-10-09 Thread Andrea Lazzarotto
2012/10/9 Jason Grout > By the way, I am now removing the tags additionally specified in the > html5lib library I tried every attack to which Firefox is vulnerable from http://html5sec.organd none worked. I tried to exploit the mathjax script just a bit, I'm not a security expert. BTW your cle

[sage-devel] Re: public worksheets

2012-10-09 Thread Jason Grout
On 10/6/12 11:47 PM, Jason Grout wrote: It would be easy to add the latter tags to the remove_tags list for lxml. On the other hand, it would also be easy to switch to html5lib. I agree with Volker that fundamentally, lxml and html5lib by default approach things in the same way: a whitelist of p

[sage-devel] Re: public worksheets

2012-10-09 Thread Jason Grout
On 10/7/12 4:02 AM, Andrea Lazzarotto wrote: 2012/10/4 Jason Grout mailto:jason-s...@creativetrax.com>> I've implemented some sanitizing of public worksheets [1] and applied it to demo.sagenb.org as a test. The concerns from before were that javascript wa

[sage-devel] Re: public worksheets

2012-10-06 Thread Jason Grout
On 10/6/12 1:17 PM, Volker Braun wrote: The whitelist is lxml.html.defs.tags, see http://lxml.de/api/lxml.html.defs-module.html Cleaning CSS should probably be considered a separate problem, especially since Microsoft decided in their infinite wisdom to allow embedded javascript in CSS files (he

Re: [sage-devel] Re: public worksheets

2012-10-06 Thread Rob Beezer
Thanks, Andrea. I want to run some of textbook-worksheets through this, especially since they have been mangled by the lxml module once already. ;-) Rob On Saturday, October 6, 2012 1:29:01 PM UTC-7, Andrea Lazzarotto wrote: > > > > 2012/10/6 Rob Beezer > > >> Has anybody else been successful

Re: [sage-devel] Re: public worksheets

2012-10-06 Thread Andrea Lazzarotto
2012/10/6 Rob Beezer > Has anybody else been successful testing these changes? No. Partially because I got those errors too and partially because I'm waiting to be authorized by Jason to intentionally try to inject some proof of concept XSS in the public worksheets. -- *Andrea Lazzarotto* - h

[sage-devel] Re: public worksheets

2012-10-06 Thread Rob Beezer
On Thursday, October 4, 2012 2:50:25 PM UTC-7, jason wrote: > > to demo.sagenb.org as a test. > I've been regularly getting 503 Service Unavailable No server is available to handle this request. back from demo.sagenb.org the past couple of days. Has anybody else been successful testing th

[sage-devel] Re: public worksheets

2012-10-05 Thread Volker Braun
Looks good! To decrease the value of sagenb.org as spam link farm we should probably also add add_nofollow=True: html_cleaner = SageCleaner(page_structure=False, remove_tags=('head', 'title'), style=True, add_nofollow=True) On Thursday, October 4, 2012 10:50:25 PM UTC+1, jason wrote: > > Ca

[sage-devel] Re: public worksheets

2012-10-04 Thread Jason Grout
On 10/4/12 7:49 PM, kcrisman wrote: On Thursday, October 4, 2012 5:50:25 PM UTC-4, jason wrote: (apologies for possible multiple posts--I've sent this twice to gmane and it hasn't appeared) I've implemented some sanitizing of public worksheets [1] and applied it to demo.sa

[sage-devel] Re: public worksheets

2012-10-04 Thread kcrisman
On Thursday, October 4, 2012 5:50:25 PM UTC-4, jason wrote: > > (apologies for possible multiple posts--I've sent this twice to gmane > and it hasn't appeared) > > I've implemented some sanitizing of public worksheets [1] and applied it > to demo.sagenb.org as a test. The concerns from before

[sage-devel] Re: public worksheets and sage notebook

2012-09-28 Thread Jason Grout
On 9/28/12 3:22 PM, Taylor Dupuy wrote: It would also be nice if there was a better description of why the notebook was down rather than just a blank error page. It was probably because of some memory issues. An error page for yesterday's problems would probably have said something like "the

[sage-devel] Re: public worksheets and sage notebook

2012-09-28 Thread Jason Grout
On 9/28/12 3:24 PM, Andrea Lazzarotto wrote: 2012/9/28 Taylor Dupuy mailto:taylor.du...@gmail.com>> What is going on with the public worksheets? AFAIK they have been disabled for spam reasons. Spam and malware reasons. Are they going to be back up soon? I don't know... Most l

[sage-devel] Re: public worksheets, and export

2009-03-13 Thread Pierre
oops this should have been on sage-support and not sage-devel, i'll make a copy now. On Mar 13, 7:36 pm, Pierre wrote: > hi all, > > I'm writing this on behalf of a colleague. We've been trying to > experiment with public worksheets, so that his students could play > with an @interact -- first t