tag:blogger.com,1999:blog-9266717.post115466648125520971..comments2023-05-22T10:01:23.167-03:00Comments on Only Python: Exciting Crunchy NewsAndré Robergehttp://www.blogger.com/profile/08131391818998844540noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-9266717.post-1154733909828576842006-08-04T20:25:00.000-03:002006-08-04T20:25:00.000-03:00anonymous said:So, what is keeping a rogue webpage...anonymous said:<BR/><BR/>So, what is keeping a rogue webpage from executing any Python code from the onload event handler?<BR/>This code isn't running in a sandbox, is it?<BR/>======<BR/>No it isn't in a sandbox, and yes (with the current version), you are right that there is a potential problem.<BR/><BR/>The original design was premised on the idea that examples on the web would be loaded from "official sites", but not enough thought had been given. What will likely have to be done *for pages loaded remotely* is something like the following:<BR/>1. remove all "script" tags from the original page before it is passed to the browser; (only "script" tags added by crunchy would remain/be allowed);<BR/>2. *possibly* remove "src" attributes (which would mean that images would not be loaded); (this might not be needed with Firefox...)<BR/>3. otherwise, only retain "title" and "alt" as attributes, in addition to the styling attributes "class" and "id".<BR/><BR/>Then,<BR/>4. add in the local javascript links and css links;<BR/>5. display in the browser.<BR/><BR/>I may have to simply disable the loading remote tutorials for now, until I am more sure about the security :-(<BR/><BR/>Loading a tutorial locally should be done with the same caution as executing a local python script.<BR/><BR/>Thank you anonymous1 and anonymous2 (possibly the same person!) for raising this issue.André Robergehttps://www.blogger.com/profile/08131391818998844540noreply@blogger.comtag:blogger.com,1999:blog-9266717.post-1154732639529726032006-08-04T20:03:00.000-03:002006-08-04T20:03:00.000-03:00> You read a Python tutorial on line. You cut-and-...> You read a Python tutorial on line. You cut-and-paste the code and try it. Is it dangerous? What Crunchy does is no more, no less dangerous than this.<BR/><BR/>So, what is keeping a rogue webpage from executing any Python code from the onload event handler?<BR/>This code isn't running in a sandbox, is it?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9266717.post-1154721542541046552006-08-04T16:59:00.000-03:002006-08-04T16:59:00.000-03:00I wrote:> Crunchy can load html pages from the web...I wrote:<BR/>> Crunchy can load html pages from the web (not only local ones) and perform its magic ;-)<BR/><BR/>Anonymous wrote:<BR/>Sounds dangerous!<BR/>----<BR/>You read a Python tutorial on line. You cut-and-paste the code and try it. Is it dangerous? What Crunchy does is no more, no less dangerous than this.<BR/><BR/>In a few minutes, I have adapted two "official" <I>Python HOWTO</I> tutorials, to include with Crunchy. The adapted version could replace, on their respective website, the original ones with no apparent change to the user loading them up in her favourite browser. However, loading them up via Crunchy, you could just execute the code by clicking a button or, in the case of examples that use the Python interpreter, type in the code <B>in your browser window</B> just below where the original appears, and see the result for yourself.André Robergehttps://www.blogger.com/profile/08131391818998844540noreply@blogger.comtag:blogger.com,1999:blog-9266717.post-1154720721951602652006-08-04T16:45:00.000-03:002006-08-04T16:45:00.000-03:00> Crunchy can load html pages from the web (not on...> Crunchy can load html pages from the web (not only local ones) and perform its magic ;-)<BR/><BR/>Sounds dangerous!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9266717.post-1154698348617815572006-08-04T10:32:00.000-03:002006-08-04T10:32:00.000-03:00There is a link in my previous post, both to the s...There is a link in my previous post, both to the sourceforge site (for official releases) and to the svn repository. However, I chose not to include a link as the new features I describe are not fully implemented/documented yet in hte "public" version (not even in the svn repository).André Robergehttps://www.blogger.com/profile/08131391818998844540noreply@blogger.comtag:blogger.com,1999:blog-9266717.post-1154689468997746672006-08-04T08:04:00.000-03:002006-08-04T08:04:00.000-03:00sounds cool!!sounds cool!!Anonymousnoreply@blogger.com