From cspencer@sprocket.org Wed Feb  1 15:41:32 2012
From: Cory Spencer <cspencer@sprocket.org>
To: galaxy-dev@lists.galaxyproject.org
Subject: Re: [galaxy-dev] Galaxy strips CSS from HTML files
Date: Wed, 01 Feb 2012 12:41:26 -0800
Message-ID: <C03F90D2-D31C-4A07-91E1-29ABF0E7AE99@sprocket.org>
In-Reply-To: <4F299A16.1030100@me.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5302647075260822591=="

--===============5302647075260822591==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable


Hi Dannon  and thanks for the response!

I can see the need to sanitize incoming HTTP request parameters that may have=
 malicious content.  However, I'm unclear as to why this also needs to happen=
 for HTML pages outputted by the Galaxy tools?  If they have been generated w=
ith sanitized HTTP request parameters, is there still a risk of an XSS attack?

If anything, would it be possible to make this sort of sanitization controlla=
ble via a configuration file option?

Thanks!

Cory

On 2012-02-01, at 12:01 PM, Dannon Baker wrote:

> Hi Cory,
>=20
> The new call to sanitize_html was introduced to more effectively prevent ma=
licious content and possible XSS attacks, though I can't think off the top of=
 my head why we couldn't allow style content.  I'll see what I can do about r=
elaxing the filter a little.
>=20
> Thanks!
>=20
> -Dannon
>=20
> On 01/30/2012 10:33 PM, Cory Spencer wrote:
>> Hello all -
>>=20
>> One of the Galaxy tools I've been developing generates HTML output which I=
'd styled using a<style>...</style>  tag in the HTML header.  After updating =
to the latest Galaxy release earlier today, the<html>,<head>...</head>,<style=
>  and<body>  tags started to get stripped from the output, rendering previou=
sly CSS styled output rather unstylish.
>>=20
>> Delving into things, I noticed a change committed in December that sanitiz=
es the output for HTML files via a call to "sanitize_html":
>>=20
>>     https://bitbucket.org/galaxy/galaxy-central/changeset/35fee32991ce#chg=
-lib/galaxy/web/controllers/dataset.py
>>=20
>> The added lines 381 ->  383 in the new file appear to be causing this new =
behaviour.
>>=20
>> Is there any option for making this optional?  What was the rational behin=
d stripping out these tags on outputted HTML files?
>>=20
>> Thanks for any help!
>>=20
>> Cory Spencer
>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client.  To manage your subscriptions to this
>> and other Galaxy lists, please use the interface at:
>>=20
>>   http://lists.bx.psu.edu/
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>=20
> http://lists.bx.psu.edu/



--===============5302647075260822591==--