Thanks again for the issue report. The current stable branch of galaxy-central will now render all XML content as plain text so that web browsers do not attempt to evaluate JavaScript contained in SVG files. This is hopefully a short-term workaround until a SVG sanitation can be incorporated into Galaxy and/or tools can be whitelisted as producing results that do not need to be sanitized. The relevant Trello tickets are below:
https://trello.com/c/xRF2e9oo https://trello.com/c/8iMhKlPX
Realistically, I don't know who or when these Trello tickets will be addressed though :(.
Finally, this does essentially break some datatypes in Galaxy, so the behavior can be disabled (set serve_xss_vulnerable_mimetypes to True in universe_wsgi.ini).
-John
On Tue, Feb 18, 2014 at 7:01 PM, Tobias Sargeant tobias.sargeant@gmail.com wrote:
In experimenting with how we could embed javascript/unsanitized html in tool output we came across the following method. Given that the current default is to disallow such activities, we thought it might be useful to bring it to your attention.
The attached file provides an example, which, when uploaded to a history and viewed produces a popup on the current stable release of galaxy (local install and https://usegalaxy.org).
Cheers, Tobias Sargeant.
Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/