-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dangerous link detected error after upgrading to Dash 2.15.0 #2764
Comments
Please see more information in this forum discussion: |
Maybe for components which had sanitization added to prevent the XSS issue should have a new I am hesitant to introduce specific exceptions for example only allowing |
A @alexcjohnson had mentioned handling the URL sanitation on the Dash framework level rather than the component level -- then it would apply to all components including custom components or libraries such as dbc and dmc. Is that still on the radar? |
@ndrezn I like the idea of the |
So to summarize we have a few options to tackle this issue:
In general the real risk is a specific class of applications (applications which allow you to save a portion of the layout as state, for example https://github.com/plotly/all-in-ai-demo-app -- observe what happens when you click/how "Save this chart" works). There's also the reasonable point that for the original example, maybe using I'm going to open a ticket in https://github.com/braintree/sanitize-url to see if they're thinking about this problem. |
While I am not expect in web technology, I get the impression looking at the literature that using I see Dash being used for a great variety of projects, many of which that do not have strict security requirements (e.g. a scientific single-user app running locally). For such users, the proposed change is removing (potentially important) functionality to address concerns (e.g. the save-layout-state example) they'll never face. In general, I consider the ability to adopt standard web technology solutions a key strength of Dash. Hence, removing (some of) this flexibility at framework level (without the ability to opt out) feels like a step in the wrong direction to me - unless there is a really strong argument for doing so. I of course understand the security concerns, and I appreciate the work being put into addressing them. However, with Dash being such a general framework, I believe that we should strive to keep as much flexibilty as possible. Even if that means enabling users to shoot them self in the foot, if they really want to. |
The specific type of |
@AnnMarieW pointed me to the interesting perspective from Mozilla: https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/
|
Hello all, Curious as to your thoughts on this as a workaround? Basically, you have a flask template, which is setup to pull the data: back and display it. Flask templates are driven from the server and therefore should be safe to use. Plus the template is outside the ecosystem of dash. So, it should be safe as far as saving layouts and other props as well. In this example, the weight falls on the dev to make sure the template is rendering safe and secure files.
|
Another possible concern would be what this person used as the workaround. This adjusted the srcDoc. Does this potentially expose the same vulnerability? |
@T4rk1n -- I think the strategy will be to use Mozilla's heuristic for detecting safe URLs and using that custom strategy rather than |
After upgrading to Dash 2.15.0, I have apps that are now breaking with
Dangerous link detected
errors, which are emitted when I useIframe
components to display embedded data, e.g. PDF files. Here is a small example,I would expect the app would continue to work, displaying the PDF, like it did in previous versions.
I guess the issue is related to the fixing of XSS vulnerabilities as mentioned in #2743 . However, I am not sure why it should be considered a vulnerability to display an embedded PDF file.
The text was updated successfully, but these errors were encountered: