Hi This is long shot, but maybe someone can help us.... We are in the process of upgrading our production galaxy server from ("release_2013.11.04" to "release_2014.04.14"). Despite some "hiccups" it went very smooth (I might come back with those in a different mail thread next week). However, we are running into a display problem: A former co-worker has written a tool which generates a big xml file. When clicking on the 'eye' icon, we don't wan't display the complete file, but only part of it. For this he has written an xsl file ("qProject.xsl"). This file is placed in ~/galaxy-dist/static/ Correspondingly, the beginning of the xml file looks like: <?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="../../../static/qProject.xsl"?> <qProject version="0.1"> etc. And (at least for me by magic), when you now click on the 'eye' icon a nicely formatted output was displayed, instead of the full xml file. This has been the case with the "release_2013.11.04" distribution. Now with the "release_2014.04.14" distribution (and also already with "release_2014.02.10"), this magic trick does not work anymore, and the complete, un-formatted xml file is displayed. I am aware, there has been major changes introduced for the displays with the "release_2014.02.10" distribution. So, can anybody give me some hints how to get this working again. I am happy to provide more details, if required. Thank you very much Hans-Rudolf -- Hans-Rudolf Hotz, PhD Bioinformatics Support Friedrich Miescher Institute for Biomedical Research Maulbeerstrasse 66 4058 Basel/Switzerland
I broke your Galaxy and did so intentionally - I feel bad about that. The way Galaxy was serving out XML content allowed XSS attacks between users - http://dev.list.galaxyproject.org/using-svg-foreignObject-tags-can-circumven.... If you aren't running a public instance, one could just set serve_xss_vulnerable_mimetypes to True in your universe_wsgi.ini file to disable the changed behavior. There are some relevant Trello cards referenced in that e-mail for longer term fixes more appropriate for public servers or servers where you don't or cannot trust your users. -John On Thu, May 8, 2014 at 7:39 AM, Hans-Rudolf Hotz <hrh@fmi.ch> wrote:
Hi
This is long shot, but maybe someone can help us....
We are in the process of upgrading our production galaxy server from ("release_2013.11.04" to "release_2014.04.14"). Despite some "hiccups" it went very smooth (I might come back with those in a different mail thread next week). However, we are running into a display problem:
A former co-worker has written a tool which generates a big xml file. When clicking on the 'eye' icon, we don't wan't display the complete file, but only part of it. For this he has written an xsl file ("qProject.xsl"). This file is placed in ~/galaxy-dist/static/
Correspondingly, the beginning of the xml file looks like:
<?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="../../../static/qProject.xsl"?> <qProject version="0.1"> etc.
And (at least for me by magic), when you now click on the 'eye' icon a nicely formatted output was displayed, instead of the full xml file. This has been the case with the "release_2013.11.04" distribution.
Now with the "release_2014.04.14" distribution (and also already with "release_2014.02.10"), this magic trick does not work anymore, and the complete, un-formatted xml file is displayed.
I am aware, there has been major changes introduced for the displays with the "release_2014.02.10" distribution. So, can anybody give me some hints how to get this working again. I am happy to provide more details, if required.
Thank you very much Hans-Rudolf
--
Hans-Rudolf Hotz, PhD Bioinformatics Support
Friedrich Miescher Institute for Biomedical Research Maulbeerstrasse 66 4058 Basel/Switzerland ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Hi John Thank you very much for the explanation. I will discuss it with our sys-admin Hans-Rudolf On 05/08/2014 03:29 PM, John Chilton wrote:
I broke your Galaxy and did so intentionally - I feel bad about that. The way Galaxy was serving out XML content allowed XSS attacks between users - http://dev.list.galaxyproject.org/using-svg-foreignObject-tags-can-circumven....
If you aren't running a public instance, one could just set serve_xss_vulnerable_mimetypes to True in your universe_wsgi.ini file to disable the changed behavior. There are some relevant Trello cards referenced in that e-mail for longer term fixes more appropriate for public servers or servers where you don't or cannot trust your users.
-John
On Thu, May 8, 2014 at 7:39 AM, Hans-Rudolf Hotz <hrh@fmi.ch> wrote:
Hi
This is long shot, but maybe someone can help us....
We are in the process of upgrading our production galaxy server from ("release_2013.11.04" to "release_2014.04.14"). Despite some "hiccups" it went very smooth (I might come back with those in a different mail thread next week). However, we are running into a display problem:
A former co-worker has written a tool which generates a big xml file. When clicking on the 'eye' icon, we don't wan't display the complete file, but only part of it. For this he has written an xsl file ("qProject.xsl"). This file is placed in ~/galaxy-dist/static/
Correspondingly, the beginning of the xml file looks like:
<?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="../../../static/qProject.xsl"?> <qProject version="0.1"> etc.
And (at least for me by magic), when you now click on the 'eye' icon a nicely formatted output was displayed, instead of the full xml file. This has been the case with the "release_2013.11.04" distribution.
Now with the "release_2014.04.14" distribution (and also already with "release_2014.02.10"), this magic trick does not work anymore, and the complete, un-formatted xml file is displayed.
I am aware, there has been major changes introduced for the displays with the "release_2014.02.10" distribution. So, can anybody give me some hints how to get this working again. I am happy to provide more details, if required.
Thank you very much Hans-Rudolf
--
Hans-Rudolf Hotz, PhD Bioinformatics Support
Friedrich Miescher Institute for Biomedical Research Maulbeerstrasse 66 4058 Basel/Switzerland ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
participants (2)
-
Hans-Rudolf Hotz -
John Chilton