using svg foreignObject tags can circumvent html sanitization
In experimenting with how we could embed javascript/unsanitized html in tool output we came across the following method. Given that the current default is to disallow such activities, we thought it might be useful to bring it to your attention. The attached file provides an example, which, when uploaded to a history and viewed produces a popup on the current stable release of galaxy (local install and https://usegalaxy.org). Cheers, Tobias Sargeant.
Hello Tobias, Thanks for the heads up. I am not sure what the best way to address this is - but if I still was responsible for a public server I think I would open my datatype_conf.xml file and replace all instances of "application/xml" and "image/svg+xml" with "text/plain" in an effort to get Galaxy not to serve user generated SVG data as plain text. -John On Tue, Feb 18, 2014 at 7:01 PM, Tobias Sargeant <tobias.sargeant@gmail.com> wrote:
In experimenting with how we could embed javascript/unsanitized html in tool output we came across the following method. Given that the current default is to disallow such activities, we thought it might be useful to bring it to your attention.
The attached file provides an example, which, when uploaded to a history and viewed produces a popup on the current stable release of galaxy (local install and https://usegalaxy.org).
Cheers, Tobias Sargeant.
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Thanks again for the issue report. The current stable branch of galaxy-central will now render all XML content as plain text so that web browsers do not attempt to evaluate JavaScript contained in SVG files. This is hopefully a short-term workaround until a SVG sanitation can be incorporated into Galaxy and/or tools can be whitelisted as producing results that do not need to be sanitized. The relevant Trello tickets are below: https://trello.com/c/xRF2e9oo https://trello.com/c/8iMhKlPX Realistically, I don't know who or when these Trello tickets will be addressed though :(. Finally, this does essentially break some datatypes in Galaxy, so the behavior can be disabled (set serve_xss_vulnerable_mimetypes to True in universe_wsgi.ini). -John On Tue, Feb 18, 2014 at 7:01 PM, Tobias Sargeant <tobias.sargeant@gmail.com> wrote:
In experimenting with how we could embed javascript/unsanitized html in tool output we came across the following method. Given that the current default is to disallow such activities, we thought it might be useful to bring it to your attention.
The attached file provides an example, which, when uploaded to a history and viewed produces a popup on the current stable release of galaxy (local install and https://usegalaxy.org).
Cheers, Tobias Sargeant.
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
participants (3)
-
John Chilton -
John Chilton -
Tobias Sargeant