Thanks again for the issue report. The current stable branch of
galaxy-central will now render all XML content as plain text so that
web browsers do not attempt to evaluate JavaScript contained in SVG
files. This is hopefully a short-term workaround until a SVG
sanitation can be incorporated into Galaxy and/or tools can be
whitelisted as producing results that do not need to be sanitized. The
relevant Trello tickets are below:

https://trello.com/c/xRF2e9oo
https://trello.com/c/8iMhKlPX

Realistically, I don't know who or when these Trello tickets will be
addressed though :(.

Finally, this does essentially break some datatypes in Galaxy, so the
behavior can be disabled (set serve_xss_vulnerable_mimetypes to True
in universe_wsgi.ini).

-John


On Tue, Feb 18, 2014 at 7:01 PM, Tobias Sargeant
<tobias.sarge...@gmail.com> wrote:
> In experimenting with how we could embed javascript/unsanitized html in tool
> output we came across the following method. Given that the current default
> is to disallow such activities, we thought it might be useful to bring it to
> your attention.
>
> The attached file provides an example, which, when uploaded to a history and
> viewed produces a popup on the current stable release of galaxy (local
> install and https://usegalaxy.org).
>
> Cheers,
> Tobias Sargeant.
>
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   http://lists.bx.psu.edu/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to