-
Notifications
You must be signed in to change notification settings - Fork 946
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML sanitizer for descriptions. #2785
Conversation
Should we sanitize this on the HTML side using a known package? JupyterLab does that. Note: someone could JSLink this attribute which would not go through the validation. Jason idea: make the sanitizer part of the manager, so that the environment can provide it. In the base manager, this could be a pass-through, and in the case of JupyterLab, we could use the lab sanitizer. |
A new proposal for an inline sanitizer:
|
Of course, the actual |
I think for now, let's keep the inline sanitizer in the ipywidgets codebase until there is a wider need for it in jlab. |
TODO:
|
|
@zerline I wanted to try out your PR but I get the following error, any idea?
|
@zerline I was wondering how the logic in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really excited to see progress on this!
Err, I see that lots of the changes are related to trivial lint formatting changes. I'll try to get those out of the review so we can concentrate on the substantial changes here. |
deeab4d
to
be8adc4
Compare
I also needed to regenerate the spec to add these description_allow_html fields to the new date time pickers. |
@zerline @jasongrout I reviewed and this looks good to me. I'll do a more thorough test run before the meeting on Tues and if I can't find anything before then we can merge! |
Did more testing and it works beautifully - really cool PR! I tried breaking it and I didn't see any issues other than |
One of the above commits states that Issue #3204, also mentioned above, suggests that Buttons/ToggleButtons may be able to have HTML descriptions in v8.0. Are HTML descriptions in Buttons/ToggleButtons something that is still being developed, or has that been found to be technically infeasible? |
Bump ipywidgets >=8.0 to resolve CVEs: ``` -> Vulnerability found in ipywidgets version 7.8.1 Vulnerability ID: 50664 Affected spec: <8.0.0 ADVISORY: Ipywidgets 8.0.0 sanitizes descriptions by default.jupyter-widgets/ipywidgets#2785 PVE-2022-50664 For more information about this vulnerability, visit https://data.safetycli.com/v/50664/97c To ignore this vulnerability, use PyUp vulnerability id 50664 in safety’s ignore command-line argument or add the ignore to your safety policy file. -> Vulnerability found in ipywidgets version 7.8.1 Vulnerability ID: 50463 Affected spec: <8.0.0rc2 ADVISORY: Ipywidgets 8.0.0rc2 makes descriptions plaintext by default for security.jupyter-widgets/ipywidgets#2785 PVE-2022-50463 For more information about this vulnerability, visit https://data.safetycli.com/v/50463/97c To ignore this vulnerability, use PyUp vulnerability id 50463 in safety’s ignore command-line argument or add the ignore to your safety policy file. ```
Bump ipywidgets >=8.0 to resolve CVEs: ``` -> Vulnerability found in ipywidgets version 7.8.1 Vulnerability ID: 50664 Affected spec: <8.0.0 ADVISORY: Ipywidgets 8.0.0 sanitizes descriptions by default.jupyter-widgets/ipywidgets#2785 PVE-2022-50664 For more information about this vulnerability, visit https://data.safetycli.com/v/50664/97c To ignore this vulnerability, use PyUp vulnerability id 50664 in safety’s ignore command-line argument or add the ignore to your safety policy file. -> Vulnerability found in ipywidgets version 7.8.1 Vulnerability ID: 50463 Affected spec: <8.0.0rc2 ADVISORY: Ipywidgets 8.0.0rc2 makes descriptions plaintext by default for security.jupyter-widgets/ipywidgets#2785 PVE-2022-50463 For more information about this vulnerability, visit https://data.safetycli.com/v/50463/97c To ignore this vulnerability, use PyUp vulnerability id 50463 in safety’s ignore command-line argument or add the ignore to your safety policy file. ``` Signed-off-by: Darren Weber <[email protected]>
An HTML sanitizer for descriptions. On the Python side: that is, we sanitize as early as possible. We may have to think about jslinks, though. Should address issue #2636