I broke your Galaxy and did so intentionally - I feel bad about that.
The way Galaxy was serving out XML content allowed XSS attacks between
users -
http://dev.list.galaxyproject.org/using-svg-foreignObject-tags-can-circumvent-html-sanitization-td4663390.html.
If you aren't running a public instance, one could just set
serve_xss_vulnerable_mimetypes to True in your universe_wsgi.ini file
to disable the changed behavior. There are some relevant Trello cards
referenced in that e-mail for longer term fixes more appropriate for
public servers or servers where you don't or cannot trust your users.
-John
On Thu, May 8, 2014 at 7:39 AM, Hans-Rudolf Hotz <h...@fmi.ch> wrote:
> Hi
>
> This is long shot, but maybe someone can help us....
>
>
> We are in the process of upgrading our production galaxy server from
> ("release_2013.11.04" to "release_2014.04.14"). Despite some "hiccups" it
> went very smooth (I might come back with those in a different mail thread
> next week). However, we are running into a display problem:
>
>
> A former co-worker has written a tool which generates a big xml file. When
> clicking on the 'eye' icon, we don't wan't display the complete file, but
> only part of it. For this he has written an xsl file ("qProject.xsl"). This
> file is placed in ~/galaxy-dist/static/
>
> Correspondingly, the beginning of the xml file looks like:
>
> <?xml version="1.0"?>
> <?xml-stylesheet type="text/xsl" href="../../../static/qProject.xsl"?>
> <qProject version="0.1">
> etc.
>
> And (at least for me by magic), when you now click on the 'eye' icon a
> nicely formatted output was displayed, instead of the full xml file. This
> has been the case with the "release_2013.11.04" distribution.
>
> Now with the "release_2014.04.14" distribution (and also already with
> "release_2014.02.10"), this magic trick does not work anymore, and the
> complete, un-formatted xml file is displayed.
>
> I am aware, there has been major changes introduced for the displays with
> the "release_2014.02.10" distribution. So, can anybody give me some hints
> how to get this working again. I am happy to provide more details, if
> required.
>
>
> Thank you very much
> Hans-Rudolf
>
>
>
>
>
>
> --
>
>
>
> Hans-Rudolf Hotz, PhD
> Bioinformatics Support
>
> Friedrich Miescher Institute for Biomedical Research
> Maulbeerstrasse 66
> 4058 Basel/Switzerland
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client. To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
> http://lists.bx.psu.edu/
>
> To search Galaxy mailing lists use the unified search at:
> http://galaxyproject.org/search/mailinglists/
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
