On Thursday, November 15, 2012, Lukasse, Pieter wrote:
Hi Joachim,
By the way: do you know what the reason is for this setting? Is there a known security problem that triggered this feature? If you add only trusted tools to your Galaxy environment, then this is not needed, right?
This change was mentioned briefly in " March 12, 2012 Galaxy Development News Brief" but no background information was given....
Thanks and regards,
Even if all the tools are safe, there is still a loophole - the user can
upload their own files. Suppose I uploaded an HTML file with a
JavaScript exploit in it? In this case unless Galaxy sanitises the
HTML it could be unsafe to display the user's file.
Perhaps the file could be sanitised on upload (maybe Galaxy
already does this - defence in depth?) but I could probably
still upload it as a plain text file and then switch the datatype
in Galaxy to HTML.
Peter