On Thursday, November 15, 2012, Lukasse, Pieter wrote:
Hi Joachim,
By the way: do you know what the reason is for this setting? Is there a known security problem that triggered this feature? If you add only trusted tools to your Galaxy environment, then this is not needed, right?
This change was mentioned briefly in " March 12, 2012 Galaxy Development News Brief" but no background information was given....
Thanks and regards,
Even if all the tools are safe, there is still a loophole - the user can upload their own files. Suppose I uploaded an HTML file with a JavaScript exploit in it? In this case unless Galaxy sanitises the HTML it could be unsafe to display the user's file. Perhaps the file could be sanitised on upload (maybe Galaxy already does this - defence in depth?) but I could probably still upload it as a plain text file and then switch the datatype in Galaxy to HTML. Peter