An example of XSS in the notebook is that someone could make an
account name that has html and javascript (I know this works with my
copy of the notebook) and then just publish worksheets. For example on
a local notebook I made an account called <h1>mark</h1> and then
forced a failed login page for invalid username and I saw "mark" in
big letters. There is a lot of crap I could do right now on the
published page this way. I made the username: "<div
style="position:fixed; top:0; right:0; bottom:0; left:0;
background:#FFF;">HI</div>" and I get a keyerror in the log when I
tried logging as that, but the invalid username failed login page is
white with the word "Hi". When I renamed one of my worksheets as that
I get a blank page with the word "Hi". When I publish that page it
just messes up the title listing for it but doesn't make the page
blank. I've played a little with that and haven't been able to blank
the published page.
On 6/26/07, Hamptonio <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I am getting some funny errors now on the new notebook. In fact, the
> first thing I tried failed, defining the following ring:
>
> R7grev.<w,r12,r13,r23,m1,m2,m3> = MPolynomialRing(QQ,7,order =
> "degrevlex")
>
> gives the errors:
>
> ./t: line 2: syntax error near unexpected token `('
> ./t: line 2: `R7grev.<w,r12,r13,r23,m1,m2,m3> =
> MPolynomialRing(QQ,7,order = "degrevlex")'
>
> I get similar errors on simpler definitions too.
>
> Cheers,
> Marshall
>
>
> On Jun 26, 1:35 am, "William Stein" <[EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > I fixed a number of issues with the notebook (see changelog below) and
> > just made the changed version live. If you're closing following this
> > thread,
> > please let me know if anything seems seriously broken as a result (I'm
> > suffering
> > from the lack of a unit testing framework for the notebook -- help, Yi!).
> >
> > -- William
> >
> > ---
> >
> > changeset: 5127:5c77fa34a543
> > tag: tip
> > user: William Stein <[EMAIL PROTECTED]>
> > date: Tue Jun 26 00:20:29 2007 -0700
> > summary: make changing evaluation system much clearer
> >
> > changeset: 5126:659b25b295df
> > user: William Stein <[EMAIL PROTECTED]>
> > date: Tue Jun 26 00:06:37 2007 -0700
> > summary: Unified the save button in text edit mode.
> >
> > changeset: 5125:5138ee7b363b
> > user: William Stein <[EMAIL PROTECTED]>
> > date: Mon Jun 25 23:54:02 2007 -0700
> > summary: tiny fixes for some possible security problems
> >
> > changeset: 5124:550f2062e641
> > user: William Stein <[EMAIL PROTECTED]>
> > date: Mon Jun 25 23:47:43 2007 -0700
> > summary: Add download link for published worksheets.
> >
> > changeset: 5123:2b6c13c613e6
> > user: William Stein <[EMAIL PROTECTED]>
> > date: Mon Jun 25 23:40:26 2007 -0700
> > summary: Added 0 as a possible rating and user comments in ratings.
> >
> > changeset: 5122:0cb80f3e387f
> > user: William Stein <[EMAIL PROTECTED]>
> > date: Mon Jun 25 22:48:49 2007 -0700
> > summary: fix output bug and error in revisions.
> >
> > changeset: 5121:ed788cc5989d
> > user: William Stein <[EMAIL PROTECTED]>
> > date: Mon Jun 25 22:46:17 2007 -0700
> > summary: SAGE Notebook: Fix large output link.
> >
> > changeset: 5120:172b14df6514
> > user: William Stein <[EMAIL PROTECTED]>
> > date: Mon Jun 25 22:27:05 2007 -0700
> > summary: Get rid of insane stupid global username variable in
> > twist.py, which was just there
> > to get the ball rolling.
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/
-~----------~----~----~----~------~----~------~--~---
