Display of HTML type broken in new Galaxy ?
Hi, I noticed that in the new Galaxy version the preview of HTML files seems to be broken. When I try to preview a HTML file generated by a tool, it displays a HTML that has all style "stripped off". So the HTML display is in fact changing the generated HTML before displaying it. Has anyone noticed this as well? What are the fixes/workarounds? [cid:image001.jpg@01CDAC4F.72D92640] Regards, Pieter Lukasse Wageningen UR, Plant Research International Departments of Bioscience and Bioinformatics Wageningen Campus, Building 107, Droevendaalsesteeg 1, 6708 PB, Wageningen, the Netherlands +31-317480891; skype: pieter.lukasse.wur http://www.pri.wur.nl<http://www.pri.wur.nl/>
Hi, Make sure that in your universe.wsgi is set: sanitize_all_html = False Hope this helps, Joachim Joachim Jacob, PhD Rijvisschestraat 120, 9052 Zwijnaarde Tel: +32 9 244.66.34 Bioinformatics Training and Services (BITS) http://www.bits.vib.be @bitsatvib On 10/17/2012 10:09 AM, Lukasse, Pieter wrote:
Hi,
I noticed that in the new Galaxy version the preview of HTML files seems to be broken. When I try to preview a HTML file generated by a tool, it displays a HTML that has all style “stripped off”. So the HTML display is in fact changing the generated HTML before displaying it.
Has anyone noticed this as well? What are the fixes/workarounds?
Regards,
Pieter Lukasse
Wageningen UR, Plant Research International
Departments of Bioscience and Bioinformatics
Wageningen Campus, Building 107, Droevendaalsesteeg 1, 6708 PB, Wageningen, the Netherlands
+31-317480891; skype: pieter.lukasse.wur
http://www.pri.wur.nl <http://www.pri.wur.nl/>
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
Thanks Joachim, that solved the problem! -----Original Message----- From: Joachim Jacob [mailto:joachim.jacob@vib.be] Sent: woensdag 17 oktober 2012 10:47 To: Lukasse, Pieter Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] Display of HTML type broken in new Galaxy ? Hi, Make sure that in your universe.wsgi is set: sanitize_all_html = False Hope this helps, Joachim Joachim Jacob, PhD Rijvisschestraat 120, 9052 Zwijnaarde Tel: +32 9 244.66.34 Bioinformatics Training and Services (BITS) http://www.bits.vib.be @bitsatvib On 10/17/2012 10:09 AM, Lukasse, Pieter wrote:
Hi,
I noticed that in the new Galaxy version the preview of HTML files seems to be broken. When I try to preview a HTML file generated by a tool, it displays a HTML that has all style "stripped off". So the HTML display is in fact changing the generated HTML before displaying it.
Has anyone noticed this as well? What are the fixes/workarounds?
Regards,
Pieter Lukasse
Wageningen UR, Plant Research International
Departments of Bioscience and Bioinformatics
Wageningen Campus, Building 107, Droevendaalsesteeg 1, 6708 PB, Wageningen, the Netherlands
+31-317480891; skype: pieter.lukasse.wur
http://www.pri.wur.nl <http://www.pri.wur.nl/>
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
Hi Joachim, By the way: do you know what the reason is for this setting? Is there a known security problem that triggered this feature? If you add only trusted tools to your Galaxy environment, then this is not needed, right? This change was mentioned briefly in " March 12, 2012 Galaxy Development News Brief" but no background information was given.... Thanks and regards, Pieter. -----Original Message----- From: galaxy-dev-bounces@lists.bx.psu.edu [mailto:galaxy-dev-bounces@lists.bx.psu.edu] On Behalf Of Lukasse, Pieter Sent: donderdag 18 oktober 2012 9:19 To: 'joachim.jacob@vib.be' Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] Display of HTML type broken in new Galaxy ? Thanks Joachim, that solved the problem! -----Original Message----- From: Joachim Jacob [mailto:joachim.jacob@vib.be] Sent: woensdag 17 oktober 2012 10:47 To: Lukasse, Pieter Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] Display of HTML type broken in new Galaxy ? Hi, Make sure that in your universe.wsgi is set: sanitize_all_html = False Hope this helps, Joachim Joachim Jacob, PhD Rijvisschestraat 120, 9052 Zwijnaarde Tel: +32 9 244.66.34 Bioinformatics Training and Services (BITS) http://www.bits.vib.be @bitsatvib On 10/17/2012 10:09 AM, Lukasse, Pieter wrote:
Hi,
I noticed that in the new Galaxy version the preview of HTML files seems to be broken. When I try to preview a HTML file generated by a tool, it displays a HTML that has all style "stripped off". So the HTML display is in fact changing the generated HTML before displaying it.
Has anyone noticed this as well? What are the fixes/workarounds?
Regards,
Pieter Lukasse
Wageningen UR, Plant Research International
Departments of Bioscience and Bioinformatics
Wageningen Campus, Building 107, Droevendaalsesteeg 1, 6708 PB, Wageningen, the Netherlands
+31-317480891; skype: pieter.lukasse.wur
http://www.pri.wur.nl <http://www.pri.wur.nl/>
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
I have no clue at all, sorry. Cheers, Joachim Joachim Jacob, PhD Rijvisschestraat 120, 9052 Zwijnaarde Tel: +32 9 244.66.34 Bioinformatics Training and Services (BITS) http://www.bits.vib.be @bitsatvib On 11/15/2012 09:14 AM, Lukasse, Pieter wrote:
Hi Joachim,
By the way: do you know what the reason is for this setting? Is there a known security problem that triggered this feature? If you add only trusted tools to your Galaxy environment, then this is not needed, right?
This change was mentioned briefly in " March 12, 2012 Galaxy Development News Brief" but no background information was given....
Thanks and regards,
Pieter.
-----Original Message----- From: galaxy-dev-bounces@lists.bx.psu.edu [mailto:galaxy-dev-bounces@lists.bx.psu.edu] On Behalf Of Lukasse, Pieter Sent: donderdag 18 oktober 2012 9:19 To: 'joachim.jacob@vib.be' Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] Display of HTML type broken in new Galaxy ?
Thanks Joachim, that solved the problem!
-----Original Message----- From: Joachim Jacob [mailto:joachim.jacob@vib.be] Sent: woensdag 17 oktober 2012 10:47 To: Lukasse, Pieter Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] Display of HTML type broken in new Galaxy ?
Hi,
Make sure that in your universe.wsgi is set: sanitize_all_html = False
Hope this helps, Joachim
Joachim Jacob, PhD
Rijvisschestraat 120, 9052 Zwijnaarde Tel: +32 9 244.66.34 Bioinformatics Training and Services (BITS) http://www.bits.vib.be @bitsatvib
On 10/17/2012 10:09 AM, Lukasse, Pieter wrote:
Hi,
I noticed that in the new Galaxy version the preview of HTML files seems to be broken. When I try to preview a HTML file generated by a tool, it displays a HTML that has all style "stripped off". So the HTML display is in fact changing the generated HTML before displaying it.
Has anyone noticed this as well? What are the fixes/workarounds?
Regards,
Pieter Lukasse
Wageningen UR, Plant Research International
Departments of Bioscience and Bioinformatics
Wageningen Campus, Building 107, Droevendaalsesteeg 1, 6708 PB, Wageningen, the Netherlands
+31-317480891; skype: pieter.lukasse.wur
http://www.pri.wur.nl <http://www.pri.wur.nl/>
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
Can anyone give some more information about this? Thanks, Pieter. -----Original Message----- From: Joachim Jacob [mailto:joachim.jacob@vib.be] Sent: donderdag 15 november 2012 9:17 To: Lukasse, Pieter Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] Display of HTML type broken in new Galaxy ? I have no clue at all, sorry. Cheers, Joachim Joachim Jacob, PhD Rijvisschestraat 120, 9052 Zwijnaarde Tel: +32 9 244.66.34 Bioinformatics Training and Services (BITS) http://www.bits.vib.be @bitsatvib On 11/15/2012 09:14 AM, Lukasse, Pieter wrote:
Hi Joachim,
By the way: do you know what the reason is for this setting? Is there a known security problem that triggered this feature? If you add only trusted tools to your Galaxy environment, then this is not needed, right?
This change was mentioned briefly in " March 12, 2012 Galaxy Development News Brief" but no background information was given....
Thanks and regards,
Pieter.
-----Original Message----- From: galaxy-dev-bounces@lists.bx.psu.edu [mailto:galaxy-dev-bounces@lists.bx.psu.edu] On Behalf Of Lukasse, Pieter Sent: donderdag 18 oktober 2012 9:19 To: 'joachim.jacob@vib.be' Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] Display of HTML type broken in new Galaxy ?
Thanks Joachim, that solved the problem!
-----Original Message----- From: Joachim Jacob [mailto:joachim.jacob@vib.be] Sent: woensdag 17 oktober 2012 10:47 To: Lukasse, Pieter Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] Display of HTML type broken in new Galaxy ?
Hi,
Make sure that in your universe.wsgi is set: sanitize_all_html = False
Hope this helps, Joachim
Joachim Jacob, PhD
Rijvisschestraat 120, 9052 Zwijnaarde Tel: +32 9 244.66.34 Bioinformatics Training and Services (BITS) http://www.bits.vib.be @bitsatvib
On 10/17/2012 10:09 AM, Lukasse, Pieter wrote:
Hi,
I noticed that in the new Galaxy version the preview of HTML files seems to be broken. When I try to preview a HTML file generated by a tool, it displays a HTML that has all style "stripped off". So the HTML display is in fact changing the generated HTML before displaying it.
Has anyone noticed this as well? What are the fixes/workarounds?
Regards,
Pieter Lukasse
Wageningen UR, Plant Research International
Departments of Bioscience and Bioinformatics
Wageningen Campus, Building 107, Droevendaalsesteeg 1, 6708 PB, Wageningen, the Netherlands
+31-317480891; skype: pieter.lukasse.wur
http://www.pri.wur.nl <http://www.pri.wur.nl/>
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
It's part of Galaxy security against XSS attack by sanitizing html. If you trust your users you don't need it. If you run a public server, it's your call. On Thu, Nov 15, 2012 at 7:19 PM, Lukasse, Pieter <pieter.lukasse@wur.nl>wrote:
Can anyone give some more information about this?
Thanks,
Pieter.
-----Original Message----- From: Joachim Jacob [mailto:joachim.jacob@vib.be] Sent: donderdag 15 november 2012 9:17 To: Lukasse, Pieter Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] Display of HTML type broken in new Galaxy ?
I have no clue at all, sorry.
Cheers, Joachim
Joachim Jacob, PhD
Rijvisschestraat 120, 9052 Zwijnaarde Tel: +32 9 244.66.34 Bioinformatics Training and Services (BITS) http://www.bits.vib.be@bitsatvib
On 11/15/2012 09:14 AM, Lukasse, Pieter wrote:
Hi Joachim,
By the way: do you know what the reason is for this setting? Is there a known security problem that triggered this feature? If you add only trusted tools to your Galaxy environment, then this is not needed, right?
This change was mentioned briefly in " March 12, 2012 Galaxy Development News Brief" but no background information was given....
Thanks and regards,
Pieter.
-----Original Message----- From: galaxy-dev-bounces@lists.bx.psu.edu [mailto:galaxy-dev-bounces@lists.bx.psu.edu] On Behalf Of Lukasse, Pieter Sent: donderdag 18 oktober 2012 9:19 To: 'joachim.jacob@vib.be' Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] Display of HTML type broken in new Galaxy ?
Thanks Joachim, that solved the problem!
-----Original Message----- From: Joachim Jacob [mailto:joachim.jacob@vib.be] Sent: woensdag 17 oktober 2012 10:47 To: Lukasse, Pieter Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] Display of HTML type broken in new Galaxy ?
Hi,
Make sure that in your universe.wsgi is set: sanitize_all_html = False
Hope this helps, Joachim
Joachim Jacob, PhD
Rijvisschestraat 120, 9052 Zwijnaarde Tel: +32 9 244.66.34 Bioinformatics Training and Services (BITS) http://www.bits.vib.be @bitsatvib
On 10/17/2012 10:09 AM, Lukasse, Pieter wrote:
Hi,
I noticed that in the new Galaxy version the preview of HTML files seems to be broken. When I try to preview a HTML file generated by a tool, it displays a HTML that has all style "stripped off". So the HTML display is in fact changing the generated HTML before displaying it.
Has anyone noticed this as well? What are the fixes/workarounds?
Regards,
Pieter Lukasse
Wageningen UR, Plant Research International
Departments of Bioscience and Bioinformatics
Wageningen Campus, Building 107, Droevendaalsesteeg 1, 6708 PB, Wageningen, the Netherlands
+31-317480891; skype: pieter.lukasse.wur
http://www.pri.wur.nl <http://www.pri.wur.nl/>
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
-- Ross Lazarus MBBS MPH; Head, Medical Bioinformatics, BakerIDI; Tel: +61 385321444 http://scholar.google.com/citations?hl=en&user=UCUuEM4AAAAJ
On Thursday, November 15, 2012, Lukasse, Pieter wrote:
Hi Joachim,
By the way: do you know what the reason is for this setting? Is there a known security problem that triggered this feature? If you add only trusted tools to your Galaxy environment, then this is not needed, right?
This change was mentioned briefly in " March 12, 2012 Galaxy Development News Brief" but no background information was given....
Thanks and regards,
Even if all the tools are safe, there is still a loophole - the user can upload their own files. Suppose I uploaded an HTML file with a JavaScript exploit in it? In this case unless Galaxy sanitises the HTML it could be unsafe to display the user's file. Perhaps the file could be sanitised on upload (maybe Galaxy already does this - defence in depth?) but I could probably still upload it as a plain text file and then switch the datatype in Galaxy to HTML. Peter
Good suggestion. Then the sanitisation should be switched off by defining a parameter in the tool <outputs> section if your data is html. Joachim On 11/15/2012 09:28 AM, Peter Cock wrote:
On Thursday, November 15, 2012, Lukasse, Pieter wrote:
Hi Joachim,
By the way: do you know what the reason is for this setting? Is there a known security problem that triggered this feature? If you add only trusted tools to your Galaxy environment, then this is not needed, right?
This change was mentioned briefly in " March 12, 2012 Galaxy Development News Brief" but no background information was given....
Thanks and regards,
Even if all the tools are safe, there is still a loophole - the user can upload their own files. Suppose I uploaded an HTML file with a JavaScript exploit in it? In this case unless Galaxy sanitises the HTML it could be unsafe to display the user's file.
Perhaps the file could be sanitised on upload (maybe Galaxy already does this - defence in depth?) but I could probably still upload it as a plain text file and then switch the datatype in Galaxy to HTML.
Peter
participants (4)
-
Joachim Jacob -
Lukasse, Pieter -
Peter Cock -
Ross