Dear all, until recently extra html files linked from html datasets got displayed with style information applied, but this seems to have changed. I did not investigate the change in detail, but is this a consequence of the backported https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-... Is downloading the zipped data and opening it locally now the only way to view styled html? Have a nice weekend, Wolfgang
Hi Wolfgang, As a security measure, we added sanitization by default of content displayed as HTML. Local galaxy administrators can use the display whitelist (left side of the admin window) to configure 'safe' applications, which will then no longer be sanitized on display. Let me know if this doesn't solve the problem for you! -Dannon On Fri, Nov 3, 2017 at 12:37 PM, Wolfgang Maier < wolfgang.maier@biologie.uni-freiburg.de> wrote:
Dear all,
until recently extra html files linked from html datasets got displayed with style information applied, but this seems to have changed. I did not investigate the change in detail, but is this a consequence of the backported https://docs.galaxyproject.org /en/master/releases/17.09_announce.html#cross-site-scripting -and-session-fixation?
Is downloading the zipped data and opening it locally now the only way to view styled html?
Have a nice weekend, Wolfgang ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/
Hi Dannon, works like a charm! Thanks a real lot for this superfast solution, Wolfgang On 03.11.2017 17:49, Dannon Baker wrote:
Hi Wolfgang,
As a security measure, we added sanitization by default of content displayed as HTML. Local galaxy administrators can use the display whitelist (left side of the admin window) to configure 'safe' applications, which will then no longer be sanitized on display. Let me know if this doesn't solve the problem for you!
-Dannon
On Fri, Nov 3, 2017 at 12:37 PM, Wolfgang Maier <wolfgang.maier@biologie.uni-freiburg.de <mailto:wolfgang.maier@biologie.uni-freiburg.de>> wrote:
Dear all,
until recently extra html files linked from html datasets got displayed with style information applied, but this seems to have changed. I did not investigate the change in detail, but is this a consequence of the backported https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-... <https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation>?
Is downloading the zipped data and opening it locally now the only way to view styled html?
Have a nice weekend, Wolfgang ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ <https://lists.galaxyproject.org/>
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/ <http://galaxyproject.org/search/>
Maybe a dumb follow-up question, but I just don't know much about web server security: Why does sanitization have to care about in-document style information? On 03.11.2017 17:49, Dannon Baker wrote:
Hi Wolfgang,
As a security measure, we added sanitization by default of content displayed as HTML. Local galaxy administrators can use the display whitelist (left side of the admin window) to configure 'safe' applications, which will then no longer be sanitized on display. Let me know if this doesn't solve the problem for you!
-Dannon
On Fri, Nov 3, 2017 at 12:37 PM, Wolfgang Maier <wolfgang.maier@biologie.uni-freiburg.de <mailto:wolfgang.maier@biologie.uni-freiburg.de>> wrote:
Dear all,
until recently extra html files linked from html datasets got displayed with style information applied, but this seems to have changed. I did not investigate the change in detail, but is this a consequence of the backported https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-... <https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation>?
Is downloading the zipped data and opening it locally now the only way to view styled html?
Have a nice weekend, Wolfgang ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ <https://lists.galaxyproject.org/>
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/ <http://galaxyproject.org/search/>
No, it's a good question! The primarily concern is malicious javascript which could be used to compromise a user's account or otherwise act on their behalf. Javascript is of course stripped out by the sanitizer, but it's also possible to embed javascript in CSS files (I think at this point only in older browsers), so to be safe we disable all that unless a tool is explicitly marked trusted. -Dannon On Fri, Nov 3, 2017 at 12:58 PM, Wolfgang Maier < wolfgang.maier@biologie.uni-freiburg.de> wrote:
Maybe a dumb follow-up question, but I just don't know much about web server security:
Why does sanitization have to care about in-document style information?
On 03.11.2017 17:49, Dannon Baker wrote:
Hi Wolfgang,
As a security measure, we added sanitization by default of content displayed as HTML. Local galaxy administrators can use the display whitelist (left side of the admin window) to configure 'safe' applications, which will then no longer be sanitized on display. Let me know if this doesn't solve the problem for you!
-Dannon
On Fri, Nov 3, 2017 at 12:37 PM, Wolfgang Maier < wolfgang.maier@biologie.uni-freiburg.de <mailto:wolfgang.maier@biologi e.uni-freiburg.de>> wrote:
Dear all,
until recently extra html files linked from html datasets got displayed with style information applied, but this seems to have changed. I did not investigate the change in detail, but is this a consequence of the backported https://docs.galaxyproject.org/en/master/releases/17.09_anno unce.html#cross-site-scripting-and-session-fixation <https://docs.galaxyproject.org/en/master/releases/17.09_ann ounce.html#cross-site-scripting-and-session-fixation>?
Is downloading the zipped data and opening it locally now the only way to view styled html?
Have a nice weekend, Wolfgang ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ <https://lists.galaxyproject.org/>
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/ <http://galaxyproject.org/search/>
I see! I've read a bit about the topic now and playing it safe like this makes sense. Thanks again for the explanation, Wolfgang On 03.11.2017 18:48, Dannon Baker wrote:
No, it's a good question!
The primarily concern is malicious javascript which could be used to compromise a user's account or otherwise act on their behalf. Javascript is of course stripped out by the sanitizer, but it's also possible to embed javascript in CSS files (I think at this point only in older browsers), so to be safe we disable all that unless a tool is explicitly marked trusted.
-Dannon
On Fri, Nov 3, 2017 at 12:58 PM, Wolfgang Maier <wolfgang.maier@biologie.uni-freiburg.de <mailto:wolfgang.maier@biologie.uni-freiburg.de>> wrote:
Maybe a dumb follow-up question, but I just don't know much about web server security:
Why does sanitization have to care about in-document style information?
On 03.11.2017 17:49, Dannon Baker wrote:
Hi Wolfgang,
As a security measure, we added sanitization by default of content displayed as HTML. Local galaxy administrators can use the display whitelist (left side of the admin window) to configure 'safe' applications, which will then no longer be sanitized on display. Let me know if this doesn't solve the problem for you!
-Dannon
On Fri, Nov 3, 2017 at 12:37 PM, Wolfgang Maier <wolfgang.maier@biologie.uni-freiburg.de <mailto:wolfgang.maier@biologie.uni-freiburg.de> <mailto:wolfgang.maier@biologie.uni-freiburg.de <mailto:wolfgang.maier@biologie.uni-freiburg.de>>> wrote:
Dear all,
until recently extra html files linked from html datasets got displayed with style information applied, but this seems to have changed. I did not investigate the change in detail, but is this a consequence of the backported https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-... <https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation>
<https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-... <https://docs.galaxyproject.org/en/master/releases/17.09_announce.html#cross-site-scripting-and-session-fixation>>?
Is downloading the zipped data and opening it locally now the only way to view styled html?
Have a nice weekend, Wolfgang ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ <https://lists.galaxyproject.org/> <https://lists.galaxyproject.org/ <https://lists.galaxyproject.org/>>
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/ <http://galaxyproject.org/search/> <http://galaxyproject.org/search/ <http://galaxyproject.org/search/>>
participants (2)
-
Dannon Baker
-
Wolfgang Maier