Can somebody explain why all html styling in markdown cells has been disabled as of notebook 6.4.1?

[Jonathan Gutow]

Apparently in response to https://nvd.nist.gov/vuln/detail/CVE-2021-32798, the jupyter notebook maintainers have chosen to implement markdown sanitization in all notebooks >=6.4.1 that completely strips all html styling. This breaks most of my educational notebooks, which use styling beyond what markdown is capable of.

I would suggest this should be discussed and think that one of the following approaches might be better:

1. Create a blacklist of the html elements (eg. <form>, <button>, <script>) that will be stripped. Leave everything else. Make it very clear that they will be stripped. They should probably be deleted from the markdown code.
2. Create a whitelist of things allowed (eg. allow style, but not onclick, onload, etc..). This is probably harder, unless there is truly only a limited set that is safe. This may require limiting to style features, like margins, colors, backgrounds, and element sizing/placement.
3. Behave more like code cells. Accept anything, but do not process them unless the user explicitly trusts the notebook.

Can somebody explain why it is necessary to completely remove the capability to use html styling in markdown cells? It seems to me there ought to be an alternative.

Regards,

Jonathan

[Zach Sailer]

Hi Jonathan, 

Thank you for opening your question here!

First, what version of notebook are you running? I think this has been addressed in v6.4.4 (see this changelog). Let me know if that's not true.

Apparently in response to https://nvd.nist.gov/vuln/detail/CVE-2021-32798, the jupyter notebook maintainers have chosen to implement markdown sanitization

To be clear, we didn't "choose" to implement markdown sanitization in response to this CVE. Jupyter Notebook was already doing markdown sanitization, but it was using a deprecated library with a critical security vulnerability. As a result, we were forced to replace that dependency; in doing so, we didn't properly configure the new sanitizer to allow some basic styling. As I mentioned, I hope this was fixed in v6.4.4, but let us know if not and we can start the conversation in a thread. 

TL;DR

As an aside, security vulnerabilities are tricky. In this particular case, we were required to act fast, while coordinating effort with multiple people from different organizations (the challenges of open-source). You can read more about it in this blog post. We did our best with the constraints we had—and we learned some things for next time.

It's also important to keep in mind that there is a relatively small number of people working on core Jupyter components, while the project generates a large volume of work for everyone. As you know from the future of the notebook discussions, Notebook maintainers are spread pretty thin these days. This issue specifically was one of the main factors that prompted the wider discussion about Notebook's future. 

Thank you again, Jonathan. I hope you're able to get your notebooks working again with a later release of Notebook.

Best,

Zach Sailer, Ph.D.

 Apple | Sr. Software Engineer

Project Jupyter | Core Developer

--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/aa4a69f7-c4ce-46d9-ac43-246e137128d0n%40googlegroups.com.

[Jonathan Gutow]

I do see the same problem up to and including notebook 6.4.4.

Jonathan

[Michał Krassowski]

Hi Jonathan,

I just tested version 6.4.4 and don't see this issue. I also tested 6.4.5 and don't see this issue there either. I however do see a regression in 6.4.6.

I can imagine that you could possibly see this issue in 6.4.4 and 6.4.5 if you had an extension (or some embedded script) which was loading a newer version of klona, preventing sanitize-html from working properly, but it seems rather unlikely.

I opened https://github.com/jupyter/notebook/issues/6270 to track the regression in 6.4.6.

If you can reproduce the problem on 6.4.5 or 6.4.4 without any extensions (in a completely clean environment, like a docker/binder setup) please comment on the issue and provide reproduction instructions.

If you can narrow down an extension which causes this issue for you in 6.4.4 please also comment so others can know that they can workaround the issue by disabling it.

Best wishes,

Michał Krassowski

To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/710f5292-33c8-40f8-b3d3-30729e984107n%40googlegroups.com.