Good suggestion. Then the sanitisation should be switched off by defining a parameter in the tool <outputs> section if your data is html.

Joachim

On 11/15/2012 09:28 AM, Peter Cock wrote:

On Thursday, November 15, 2012, Lukasse, Pieter wrote:

    Hi Joachim,

    By the way: do you know what the reason is for this setting? Is
    there a known security problem that triggered this feature? If you
    add only trusted tools to your Galaxy environment, then this is
    not needed, right?

    This change was mentioned briefly in " March 12, 2012 Galaxy
    Development News Brief" but no background information was given....

    Thanks and regards,


Even if all the tools are safe, there is still a loophole - the user can
upload their own files. Suppose I uploaded an HTML file with a
JavaScript exploit in it? In  this case unless Galaxy sanitises the
HTML it could be unsafe to display the user's file.

Perhaps the file could be sanitised on upload (maybe Galaxy
already does this  - defence in depth?) but I could probably
still upload it as a plain text file and then switch the datatype
in Galaxy to HTML.

Peter

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

 http://lists.bx.psu.edu/

Reply via email to