I do see the same problem up to and including notebook 6.4.4. Jonathan
On Tuesday, January 11, 2022 at 12:51:11 PM UTC-6 [email protected] wrote: > Hi Jonathan, > > Thank you for opening your question here! > > First, what version of notebook are you running? I think this has been > addressed in v6.4.4 (see this changelog > <https://github.com/jupyter/notebook/releases/tag/v6.4.4>). Let me know > if that's not true. > > Apparently in response to https://nvd.nist.gov/vuln/detail/CVE-2021-32798, >> the jupyter notebook maintainers have chosen to implement markdown >> sanitization >> > > To be clear, we didn't "choose" to implement markdown sanitization in > response to this CVE. Jupyter Notebook was *already* doing markdown > sanitization, but it was using a deprecated library with a critical > security vulnerability. As a result, we were forced to replace that > dependency; in doing so, we didn't properly configure the new sanitizer to > allow some basic styling. As I mentioned, I hope this was fixed in v6.4.4, > but let us know if not and we can start the conversation in a thread. > > TL;DR > > As an aside, security vulnerabilities are tricky. In this particular case, > we were required to act fast, while coordinating effort with multiple > people from different organizations (the challenges of open-source). You > can read more about it in this blog post. > <https://blog.jupyter.org/cve-2021-32797-and-cve-2021-32798-remote-code-execution-in-jupyterlab-and-jupyter-notebook-a70fae0d3239>We > > did our best with the constraints we had—and we learned some things for > next time. > > It's also important to keep in mind that there is a relatively small > number of people working on core Jupyter components, while the project > generates a large volume of work for everyone. As you know from the future > of the notebook discussions, Notebook maintainers are spread pretty thin > these days. This issue specifically was one of the main factors that > prompted the wider discussion about Notebook's future. > > Thank you again, Jonathan. I hope you're able to get your notebooks > working again with a later release of Notebook. > > Best, > > Zach Sailer, Ph.D. > Apple | Sr. Software Engineer > Project Jupyter | Core Developer > > > > On Tue, Jan 11, 2022 at 9:07 AM Jonathan Gutow <[email protected]> wrote: > >> Apparently in response to https://nvd.nist.gov/vuln/detail/CVE-2021-32798, >> the jupyter notebook maintainers have chosen to implement markdown >> sanitization in all notebooks >=6.4.1 that completely strips all html >> styling. This breaks most of my educational notebooks, which use styling >> beyond what markdown is capable of. >> >> I would suggest this should be discussed and think that one of the >> following approaches might be better: >> >> 1. Create a blacklist of the html elements (eg. <form>, <button>, >> <script>) that will be stripped. Leave everything else. Make it very >> clear >> that they will be stripped. They should probably be deleted from the >> markdown code. >> 2. Create a whitelist of things allowed (eg. allow style, but not >> onclick, onload, etc..). This is probably harder, unless there is truly >> only a limited set that is safe. This may require limiting to style >> features, like margins, colors, backgrounds, and element sizing/placement. >> 3. Behave more like code cells. Accept anything, but do not process >> them unless the user explicitly trusts the notebook. >> >> Can somebody explain why it is necessary to completely remove the >> capability to use html styling in markdown cells? It seems to me there >> ought to be an alternative. >> >> Regards, >> Jonathan >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Project Jupyter" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jupyter/aa4a69f7-c4ce-46d9-ac43-246e137128d0n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jupyter/aa4a69f7-c4ce-46d9-ac43-246e137128d0n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/710f5292-33c8-40f8-b3d3-30729e984107n%40googlegroups.com.
