This breaks some of the tools we&#39;re developing, although in our case it&#39;s harder to fix because it&#39;s Javascript we&#39;re inserting. <div><br></div><div>I understand the security concerns though. Any advice on a more secure way to allow particular content? Perhaps a whitelist of allowed scripts?    <br>


<br><div class="gmail_quote">On Wed, Feb 1, 2012 at 23:58, Cory Spencer <span dir="ltr">&lt;<a href="mailto:cspencer@sprocket.org" target="_blank">cspencer@sprocket.org</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div><br>
On 2012-02-01, at 1:33 PM, Dannon Baker wrote:<br>
<br>
&gt; With Galaxy&#39;s toolbox at hand you could generate invalid HTML from plain text components.  A simple example, but consider the following:<br>
&gt;<br>
&gt; Upload one plain text file with the content:<br>
&gt; &lt;script<br>
&gt;<br>
</div>&gt; ....<br>
<div>&gt;<br>
&gt; Change the type of this dataset to html and there&#39;s your attack.  If you tried to upload this, we&#39;d interpret it as malicious HTML and discard it.  As separate datasets, it&#39;s impossible to tell.  Given Galaxy&#39;s powerful text manipulation tools you could write just about whatever you wanted using Galaxy itself and get it in the system as a (seemingly) valid tool-generated dataset.  Now, with the outbound sanitation on any dataset served as &quot;text/html&quot; it doesn&#39;t matter and it gets handled prior to serving.<br>



<br>
</div>Okay, I follow you there.  That&#39;s a good example, thank you!<br>
<div><br>
&gt; Another option we discussed would be to trust all tool generated HTML, disallow changing the datatype of anything *to* html, and so on, but that approach comes with its own problems.<br>
<br>
</div>In the case of the tool we&#39;re working on, this option is probably what would have worked best.<br>
<div><br>
&gt;&gt; If anything, would it be possible to make this sort of sanitization controllable via a configuration file option?<br>
&gt;<br>
&gt; I&#39;m rather hesitant to put in a disable option for a security feature, though you&#39;re more than welcome to pop those two lines out of your instance.  I think the best path forward is probably relaxing the filter a bit, the initial pass was somewhat draconian.  Would relaxing the filter to allow style content to pass through work for your needs?<br>



<br>
</div>Yes, we&#39;ve already commented it out for the time being. :)  Relaxing the filter would be a good improvement so far as we&#39;re concerned.  I&#39;d be happy to keep in contact with you during the process so that we can find the happy middle ground between security and usability.<br>



<br>
Thanks again!<br>
<span><font color="#888888"><br>
Cory<br>
</font></span><div><div>___________________________________________________________<br>
Please keep all replies on the list by using &quot;reply all&quot;<br>
in your mail client.  To manage your subscriptions to this<br>
and other Galaxy lists, please use the interface at:<br>
<br>
  <a href="http://lists.bx.psu.edu/" target="_blank">http://lists.bx.psu.edu/</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Computational Biology Group<br>University of Cape Town<br>South Africa<br>
</div>