Hi John

Thank you very much for the explanation. I will discuss it with our sys-admin

Hans-Rudolf

On 05/08/2014 03:29 PM, John Chilton wrote:
I broke your Galaxy and did so intentionally - I feel bad about that.
The way Galaxy was serving out XML content allowed XSS attacks between
users - 
http://dev.list.galaxyproject.org/using-svg-foreignObject-tags-can-circumvent-html-sanitization-td4663390.html.

If you aren't running a public instance, one could just set
serve_xss_vulnerable_mimetypes to True in your universe_wsgi.ini file
to disable the changed behavior. There are some relevant Trello cards
referenced in that e-mail for longer term fixes more appropriate for
public servers or servers where you don't or cannot trust your users.

-John

On Thu, May 8, 2014 at 7:39 AM, Hans-Rudolf Hotz <h...@fmi.ch> wrote:
Hi

This is long shot, but maybe someone can help us....


We are in the process of upgrading our production galaxy server from
("release_2013.11.04" to "release_2014.04.14"). Despite some "hiccups" it
went very smooth (I might come back with those in a different mail thread
next week). However, we are running into a display problem:


A former co-worker has written a tool which generates a big xml file. When
clicking on the 'eye' icon, we don't wan't display the complete file, but
only part of it. For this he has written an xsl file ("qProject.xsl"). This
file is placed in ~/galaxy-dist/static/

Correspondingly, the beginning of the xml file looks like:

<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="../../../static/qProject.xsl"?>
      <qProject version="0.1">
   etc.

And (at least for me by magic), when you now click on the 'eye' icon a
nicely formatted output was displayed, instead of the full xml file. This
has been the case with the "release_2013.11.04" distribution.

Now with the "release_2014.04.14" distribution (and also already with
"release_2014.02.10"), this magic trick does not work anymore, and the
complete, un-formatted xml file is displayed.

I am aware, there has been major changes introduced for the displays with
the "release_2014.02.10" distribution. So, can anybody give me some hints
how to get this working again. I am happy to provide more details, if
required.


Thank you very much
Hans-Rudolf






--



Hans-Rudolf Hotz, PhD
Bioinformatics Support

Friedrich Miescher Institute for Biomedical Research
Maulbeerstrasse 66
4058 Basel/Switzerland
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
 http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
 http://galaxyproject.org/search/mailinglists/

Reply via email to