Hi Dannon  and thanks for the response!

I can see the need to sanitize incoming HTTP request parameters that may have 
malicious content.  However, I'm unclear as to why this also needs to happen 
for HTML pages outputted by the Galaxy tools?  If they have been generated with 
sanitized HTTP request parameters, is there still a risk of an XSS attack?

If anything, would it be possible to make this sort of sanitization 
controllable via a configuration file option?

Thanks!

Cory

On 2012-02-01, at 12:01 PM, Dannon Baker wrote:

> Hi Cory,
> 
> The new call to sanitize_html was introduced to more effectively prevent 
> malicious content and possible XSS attacks, though I can't think off the top 
> of my head why we couldn't allow style content.  I'll see what I can do about 
> relaxing the filter a little.
> 
> Thanks!
> 
> -Dannon
> 
> On 01/30/2012 10:33 PM, Cory Spencer wrote:
>> Hello all -
>> 
>> One of the Galaxy tools I've been developing generates HTML output which I'd 
>> styled using a<style>...</style>  tag in the HTML header.  After updating to 
>> the latest Galaxy release earlier today, the<html>,<head>...</head>,<style>  
>> and<body>  tags started to get stripped from the output, rendering 
>> previously CSS styled output rather unstylish.
>> 
>> Delving into things, I noticed a change committed in December that sanitizes 
>> the output for HTML files via a call to "sanitize_html":
>> 
>>     
>> https://bitbucket.org/galaxy/galaxy-central/changeset/35fee32991ce#chg-lib/galaxy/web/controllers/dataset.py
>> 
>> The added lines 381 ->  383 in the new file appear to be causing this new 
>> behaviour.
>> 
>> Is there any option for making this optional?  What was the rational behind 
>> stripping out these tags on outputted HTML files?
>> 
>> Thanks for any help!
>> 
>> Cory Spencer
>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client.  To manage your subscriptions to this
>> and other Galaxy lists, please use the interface at:
>> 
>>   http://lists.bx.psu.edu/
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
> 
> http://lists.bx.psu.edu/


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

Reply via email to