html with styles

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

html with styles

Wolfgang Maier
Dear all,

until recently extra html files linked from html datasets got displayed
with style information applied, but this seems to have changed.
I did not investigate the change in detail, but is this a consequence of
the backported
https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation?

Is downloading the zipped data and opening it locally now the only way
to view styled html?

Have a nice weekend,
Wolfgang
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: html with styles

Dannon Baker-2
Hi Wolfgang,

As a security measure, we added sanitization by default of content displayed as HTML.  Local galaxy administrators can use the display whitelist (left side of the admin window) to configure 'safe' applications, which will then no longer be sanitized on display.  Let me know if this doesn't solve the problem for you!

-Dannon

On Fri, Nov 3, 2017 at 12:37 PM, Wolfgang Maier <[hidden email]> wrote:
Dear all,

until recently extra html files linked from html datasets got displayed with style information applied, but this seems to have changed.
I did not investigate the change in detail, but is this a consequence of the backported https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation?

Is downloading the zipped data and opening it locally now the only way to view styled html?

Have a nice weekend,
Wolfgang
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
 https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
 http://galaxyproject.org/search/


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: html with styles

Wolfgang Maier
Hi Dannon,

works like a charm! Thanks a real lot for this superfast solution,

Wolfgang


On 03.11.2017 17:49, Dannon Baker wrote:

> Hi Wolfgang,
>
> As a security measure, we added sanitization by default of content
> displayed as HTML.  Local galaxy administrators can use the display
> whitelist (left side of the admin window) to configure 'safe'
> applications, which will then no longer be sanitized on display.  Let me
> know if this doesn't solve the problem for you!
>
> -Dannon
>
> On Fri, Nov 3, 2017 at 12:37 PM, Wolfgang Maier
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Dear all,
>
>     until recently extra html files linked from html datasets got
>     displayed with style information applied, but this seems to have
>     changed.
>     I did not investigate the change in detail, but is this a
>     consequence of the backported
>     https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation
>     <https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation>?
>
>     Is downloading the zipped data and opening it locally now the only
>     way to view styled html?
>
>     Have a nice weekend,
>     Wolfgang
>     ___________________________________________________________
>     Please keep all replies on the list by using "reply all"
>     in your mail client.  To manage your subscriptions to this
>     and other Galaxy lists, please use the interface at:
>     https://lists.galaxyproject.org/ <https://lists.galaxyproject.org/>
>
>     To search Galaxy mailing lists use the unified search at:
>     http://galaxyproject.org/search/ <http://galaxyproject.org/search/>
>
>
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: html with styles

Wolfgang Maier
In reply to this post by Dannon Baker-2
Maybe a dumb follow-up question, but I just don't know much about web
server security:

Why does sanitization have to care about in-document style information?


On 03.11.2017 17:49, Dannon Baker wrote:

> Hi Wolfgang,
>
> As a security measure, we added sanitization by default of content
> displayed as HTML.  Local galaxy administrators can use the display
> whitelist (left side of the admin window) to configure 'safe'
> applications, which will then no longer be sanitized on display.  Let me
> know if this doesn't solve the problem for you!
>
> -Dannon
>
> On Fri, Nov 3, 2017 at 12:37 PM, Wolfgang Maier
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Dear all,
>
>     until recently extra html files linked from html datasets got
>     displayed with style information applied, but this seems to have
>     changed.
>     I did not investigate the change in detail, but is this a
>     consequence of the backported
>     https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation
>     <https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation>?
>
>     Is downloading the zipped data and opening it locally now the only
>     way to view styled html?
>
>     Have a nice weekend,
>     Wolfgang
>     ___________________________________________________________
>     Please keep all replies on the list by using "reply all"
>     in your mail client.  To manage your subscriptions to this
>     and other Galaxy lists, please use the interface at:
>     https://lists.galaxyproject.org/ <https://lists.galaxyproject.org/>
>
>     To search Galaxy mailing lists use the unified search at:
>     http://galaxyproject.org/search/ <http://galaxyproject.org/search/>
>
>
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: html with styles

Dannon Baker-2
No, it's a good question!

The primarily concern is malicious javascript which could be used to compromise a user's account or otherwise act on their behalf.  Javascript is of course stripped out by the sanitizer, but it's also possible to embed javascript in CSS files (I think at this point only in older browsers), so to be safe we disable all that unless a tool is explicitly marked trusted.

-Dannon

On Fri, Nov 3, 2017 at 12:58 PM, Wolfgang Maier <[hidden email]> wrote:
Maybe a dumb follow-up question, but I just don't know much about web server security:

Why does sanitization have to care about in-document style information?


On 03.11.2017 17:49, Dannon Baker wrote:
Hi Wolfgang,

As a security measure, we added sanitization by default of content displayed as HTML.  Local galaxy administrators can use the display whitelist (left side of the admin window) to configure 'safe' applications, which will then no longer be sanitized on display.  Let me know if this doesn't solve the problem for you!

-Dannon

On Fri, Nov 3, 2017 at 12:37 PM, Wolfgang Maier <[hidden email] <mailto:[hidden email]>> wrote:

    Dear all,

    until recently extra html files linked from html datasets got
    displayed with style information applied, but this seems to have
    changed.
    I did not investigate the change in detail, but is this a
    consequence of the backported
    https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation
    <https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation>?

    Is downloading the zipped data and opening it locally now the only
    way to view styled html?

    Have a nice weekend,
    Wolfgang
    ___________________________________________________________
    Please keep all replies on the list by using "reply all"
    in your mail client.  To manage your subscriptions to this
    and other Galaxy lists, please use the interface at:
    https://lists.galaxyproject.org/ <https://lists.galaxyproject.org/>

    To search Galaxy mailing lists use the unified search at:
    http://galaxyproject.org/search/ <http://galaxyproject.org/search/>




___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: html with styles

Wolfgang Maier
I see! I've read a bit about the topic now and playing it safe like this
makes sense.

Thanks again for the explanation,
Wolfgang


On 03.11.2017 18:48, Dannon Baker wrote:

> No, it's a good question!
>
> The primarily concern is malicious javascript which could be used to
> compromise a user's account or otherwise act on their behalf.  
> Javascript is of course stripped out by the sanitizer, but it's also
> possible to embed javascript in CSS files (I think at this point only in
> older browsers), so to be safe we disable all that unless a tool is
> explicitly marked trusted.
>
> -Dannon
>
> On Fri, Nov 3, 2017 at 12:58 PM, Wolfgang Maier
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Maybe a dumb follow-up question, but I just don't know much about
>     web server security:
>
>     Why does sanitization have to care about in-document style information?
>
>
>     On 03.11.2017 17:49, Dannon Baker wrote:
>
>         Hi Wolfgang,
>
>         As a security measure, we added sanitization by default of
>         content displayed as HTML.  Local galaxy administrators can use
>         the display whitelist (left side of the admin window) to
>         configure 'safe' applications, which will then no longer be
>         sanitized on display.  Let me know if this doesn't solve the
>         problem for you!
>
>         -Dannon
>
>         On Fri, Nov 3, 2017 at 12:37 PM, Wolfgang Maier
>         <[hidden email]
>         <mailto:[hidden email]>
>         <mailto:[hidden email]
>         <mailto:[hidden email]>>> wrote:
>
>              Dear all,
>
>              until recently extra html files linked from html datasets got
>              displayed with style information applied, but this seems to
>         have
>              changed.
>              I did not investigate the change in detail, but is this a
>              consequence of the backported
>         https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation
>         <https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation>
>            
>         <https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation
>         <https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation>>?
>
>              Is downloading the zipped data and opening it locally now
>         the only
>              way to view styled html?
>
>              Have a nice weekend,
>              Wolfgang
>              ___________________________________________________________
>              Please keep all replies on the list by using "reply all"
>              in your mail client.  To manage your subscriptions to this
>              and other Galaxy lists, please use the interface at:
>         https://lists.galaxyproject.org/
>         <https://lists.galaxyproject.org/>
>         <https://lists.galaxyproject.org/
>         <https://lists.galaxyproject.org/>>
>
>              To search Galaxy mailing lists use the unified search at:
>         http://galaxyproject.org/search/
>         <http://galaxyproject.org/search/>
>         <http://galaxyproject.org/search/
>         <http://galaxyproject.org/search/>>
>
>
>
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/