Thanks again for the issue report. The current stable branch of
galaxy-central will now render all XML content as plain text so that
web browsers do not attempt to evaluate JavaScript contained in SVG
files. This is hopefully a short-term workaround until a SVG
sanitation can be incorporated into Galaxy and/or tools can be
whitelisted as producing results that do not need to be sanitized. The
relevant Trello tickets are below:
https://trello.com/c/xRF2e9oo
https://trello.com/c/8iMhKlPX
Realistically, I don't know who or when these Trello tickets will be
addressed though :(.
Finally, this does essentially break some datatypes in Galaxy, so the
behavior can be disabled (set serve_xss_vulnerable_mimetypes to True
in universe_wsgi.ini).
-John
On Tue, Feb 18, 2014 at 7:01 PM, Tobias Sargeant
tobias.sarge...@gmail.com wrote:
In experimenting with how we could embed javascript/unsanitized html in tool
output we came across the following method. Given that the current default
is to disallow such activities, we thought it might be useful to bring it to
your attention.
The attached file provides an example, which, when uploaded to a history and
viewed produces a popup on the current stable release of galaxy (local
install and https://usegalaxy.org).
Cheers,
Tobias Sargeant.
___
Please keep all replies on the list by using reply all
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
___
Please keep all replies on the list by using reply all
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
