Hello Tobias, Thanks for the heads up. I am not sure what the best way to address this is - but if I still was responsible for a public server I think I would open my datatype_conf.xml file and replace all instances of "application/xml" and "image/svg+xml" with "text/plain" in an effort to get Galaxy not to serve user generated SVG data as plain text.
-John On Tue, Feb 18, 2014 at 7:01 PM, Tobias Sargeant <tobias.sarge...@gmail.com> wrote: > In experimenting with how we could embed javascript/unsanitized html in tool > output we came across the following method. Given that the current default > is to disallow such activities, we thought it might be useful to bring it to > your attention. > > The attached file provides an example, which, when uploaded to a history and > viewed produces a popup on the current stable release of galaxy (local > install and https://usegalaxy.org). > > Cheers, > Tobias Sargeant. > > > ___________________________________________________________ > Please keep all replies on the list by using "reply all" > in your mail client. To manage your subscriptions to this > and other Galaxy lists, please use the interface at: > http://lists.bx.psu.edu/ > > To search Galaxy mailing lists use the unified search at: > http://galaxyproject.org/search/mailinglists/ ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
