Quantcast

D3js and IPython

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

D3js and IPython

lecast
This is a new thread but it is born out and related to a previous discussion. The goal there was to live update figures created with d3js in IPython Notebook. It was suggested that a solution would be to use widgets, which I have to admit I did not have time to understand so instead I decided to create something that produces the end product I was aiming at, i.e. take output from Python, use d3js to create a table/figure, use some blackbox, have the output visible in the notebook (or be able to save it elsewhere as svg/html/png/etc).

You can find an example notebook with a lot of custom tables and some figures here. They are all created based on data from Python, rendered in PhantomJs (in that case I just copy the html, but PhantomJs allows for conversion to other formats), and then published in the notebook.

I created it for myself, so there is hardly any commenting in the file (I know, bad), but I have been using it for a few months now and it works really well. D3js has some great modern visualizations coded in and it takes only a few days to learn the syntax by doing.

Personally I think it would be really nice to make it into an extension/package, but I lack experience/time to do that.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

Brian Granger-3
Hi,

I saw this and it looks pretty cool.  We definitely want to improve
our d3 support.  In the next few months we are going to be improving
our architecture for javascript widgets to make these things possible.
 I would imagine that we will have some d3 examples that emerge out of
that work.  In the meantime, here is a branch with some early work in
this area:

https://github.com/ipython/ipython/pull/2518

Please have a look at this and give us feedback.

Cheers,

Brian

On Tue, Jan 8, 2013 at 8:26 AM, lecast <[hidden email]> wrote:

> This is a new thread but it is born out and related to a  previous discussion
> <http://python.6.n6.nabble.com/experiment-remote-execution-of-jquery-and-d3-code-into-the-browser-via-ipython-td4633053.html#a4955237>
> . The goal there was to live update figures created with d3js in IPython
> Notebook. It was suggested that a solution would be to use widgets, which I
> have to admit I did not have time to understand so instead I decided to
> create something that produces the end product I was aiming at, i.e. take
> output from Python, use d3js to create a table/figure, use some blackbox,
> have the output visible in the notebook (or be able to save it elsewhere as
> svg/html/png/etc).
>
> You can find an example notebook with a lot of custom tables and some
> figures  here <http://nbviewer.ipython.org/4484816/ipyD3sample.ipynb>  .
> They are all created based on data from Python, rendered in PhantomJs (in
> that case I just copy the html, but PhantomJs allows for conversion to other
> formats), and then published in the notebook.
>
> I created it for myself, so there is hardly any commenting in the file (I
> know, bad), but I have been using it for a few months now and it works
> really well. D3js has some great modern visualizations coded in and it takes
> only a few days to learn the syntax by doing.
>
> Personally I think it would be really nice to make it into an
> extension/package, but I lack experience/time to do that.
>
>
>
> --
> View this message in context: http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661.html
> Sent from the IPython - Development mailing list archive at Nabble.com.
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev



--
Brian E. Granger
Cal Poly State University, San Luis Obispo
[hidden email] and [hidden email]
_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

Matthias Bussonnier
In reply to this post by lecast
Hi !

It look really great :

A few comment :

Obstacle 1
def x():
        from IPython.core.display import Javascript
        Javascript('alert("a")')
x()

you probably want to `return Javascript('alert("a")')`
Am I wrong ?


Obstacle 2:
 same : `return HTML()` I guess...

Please, please, please don't inline script.
We will in anyway prevent script in output so this will become useless anyway.
Which will deprecate _js_repr_ (at least make it useless) but Brian Json-handler branch
ill work much better to do what you want.

Obstacle 3/Obstacle 4
Will be solve with brian Json Handler branch.

You probably want to inject your own library in the notebook,
which can be done via custom.js

draft doc : http://elacave.lmdb.eu/~carreau/yui/classes/IPython.customjs.html
use $.getScript(url)
for example :
$.getScript('d3.min.js') in you have d3.min.js in .ipython/profile_xxx/static/js/d3.min.js

You might be interesting in
http://epmoyer.github.com/ipy_table/

To join effort.

Thanks.
--
Matthias




Le 8 janv. 2013 à 17:26, lecast a écrit :

> This is a new thread but it is born out and related to a  previous discussion
> <http://python.6.n6.nabble.com/experiment-remote-execution-of-jquery-and-d3-code-into-the-browser-via-ipython-td4633053.html#a4955237>
> . The goal there was to live update figures created with d3js in IPython
> Notebook. It was suggested that a solution would be to use widgets, which I
> have to admit I did not have time to understand so instead I decided to
> create something that produces the end product I was aiming at, i.e. take
> output from Python, use d3js to create a table/figure, use some blackbox,
> have the output visible in the notebook (or be able to save it elsewhere as
> svg/html/png/etc).
>
> You can find an example notebook with a lot of custom tables and some
> figures  here <http://nbviewer.ipython.org/4484816/ipyD3sample.ipynb>  .
> They are all created based on data from Python, rendered in PhantomJs (in
> that case I just copy the html, but PhantomJs allows for conversion to other
> formats), and then published in the notebook.
>
> I created it for myself, so there is hardly any commenting in the file (I
> know, bad), but I have been using it for a few months now and it works
> really well. D3js has some great modern visualizations coded in and it takes
> only a few days to learn the syntax by doing.
>
> Personally I think it would be really nice to make it into an
> extension/package, but I lack experience/time to do that.
>
>
>
> --
> View this message in context: http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661.html
> Sent from the IPython - Development mailing list archive at Nabble.com.
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev

_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

lecast
Thx. I will have a look at both the repository and the pull. 

Returning Javascript() or HTML() is not exactly what I need. In general I always need  to publish both html and javascript within a function so that function that would correspond to make_table() from ipy_table creates both the element and the script that populates that element. But this is mute here, since I couldn't find a way to copy final elements from the window and saving them in the notebook for good, the only thing that actually is saved is the final html object.

I don't use inline JS anywhere there. But, if you prevent inline JS in output then you will also prevent a lot of interactivity on final output that e.g. d3 generates. I mean you need to be able to have things like onClick etc. But if you mean that you will prohibit me from saving javascript in any form in the notebook, then I will probably have to stop pulling the new versions... Right now I spend all my time in Notebook, i.e. I wrote a script that converts notebooks to latex and I just write my papers in Notebook. It is nice since I see my math instantly, but I need to be able to embed some javascript that appears only in those notebooks that are really papers, e.g. to replace references or make highlights ( http://i46.tinypic.com/163qyg.png ).

Customjs is ok unless you send the notebook to someone and don't tell them they need to have it as well. I wanted something that produces output that is easily replicable. 



Z wyrazami szacunku,
Marcin Zamojski


On Tue, Jan 8, 2013 at 8:56 PM, Matthias Bussonnier [via Python] <[hidden email]> wrote:
Hi !

It look really great :

A few comment :

Obstacle 1
def x():
        from IPython.core.display import Javascript
        Javascript('alert("a")')
x()

you probably want to `return Javascript('alert("a")')`
Am I wrong ?


Obstacle 2:
 same : `return HTML()` I guess...

Please, please, please don't inline script.
We will in anyway prevent script in output so this will become useless anyway.
Which will deprecate _js_repr_ (at least make it useless) but Brian Json-handler branch
ill work much better to do what you want.

Obstacle 3/Obstacle 4
Will be solve with brian Json Handler branch.

You probably want to inject your own library in the notebook,
which can be done via custom.js

draft doc : http://elacave.lmdb.eu/~carreau/yui/classes/IPython.customjs.html
use $.getScript(url)
for example :
$.getScript('d3.min.js') in you have d3.min.js in .ipython/profile_xxx/static/js/d3.min.js

You might be interesting in
http://epmoyer.github.com/ipy_table/

To join effort.

Thanks.
--
Matthias




Le 8 janv. 2013 à 17:26, lecast a écrit :

> This is a new thread but it is born out and related to a  previous discussion
> <http://python.6.n6.nabble.com/experiment-remote-execution-of-jquery-and-d3-code-into-the-browser-via-ipython-td4633053.html#a4955237>
> . The goal there was to live update figures created with d3js in IPython
> Notebook. It was suggested that a solution would be to use widgets, which I
> have to admit I did not have time to understand so instead I decided to
> create something that produces the end product I was aiming at, i.e. take
> output from Python, use d3js to create a table/figure, use some blackbox,
> have the output visible in the notebook (or be able to save it elsewhere as
> svg/html/png/etc).
>
> You can find an example notebook with a lot of custom tables and some
> figures  here <http://nbviewer.ipython.org/4484816/ipyD3sample.ipynb>  .
> They are all created based on data from Python, rendered in PhantomJs (in
> that case I just copy the html, but PhantomJs allows for conversion to other
> formats), and then published in the notebook.
>
> I created it for myself, so there is hardly any commenting in the file (I
> know, bad), but I have been using it for a few months now and it works
> really well. D3js has some great modern visualizations coded in and it takes
> only a few days to learn the syntax by doing.
>
> Personally I think it would be really nice to make it into an
> extension/package, but I lack experience/time to do that.
>
>
>
> --
> View this message in context: http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661.html
> Sent from the IPython - Development mailing list archive at Nabble.com.
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev

_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev



If you reply to this email, your message will be added to the discussion below:
http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661p5001692.html
To unsubscribe from D3js and IPython, click here.
NAML

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

Matthias Bussonnier

Le 8 janv. 2013 à 22:11, lecast a écrit :

> Thx. I will have a look at both the repository and the pull.
>
> Returning Javascript() or HTML() is not exactly what I need. In general I always need  to publish both html and javascript within a function so that function that would correspond to make_table() from ipy_table creates both the element and the script that populates that element.

Doesn't Javascript have an option to also pass css/html/libraries ?

> But this is mute here, since I couldn't find a way to copy final elements from the window and saving them in the notebook for good, the only thing that actually is saved is the final html object.

> I don't use inline JS anywhere there. But, if you prevent inline JS in output then you will also prevent a lot of interactivity on final output that e.g. d3 generates. I mean you need to be able to have things like onClick etc.

You can bind dynamically, but all script/onclick will probably be escaped.
What will come is the ability to use js 'plugin' to which you can talk. you could send those 'plugin' data.
This should be more than enough to do what you want.
In your case that would be a plugin 'table' to which you send 'json' and that render the table.


> But if you mean that you will prohibit me from saving javascript in any form in the notebook, then I will probably have to stop pulling the new versions...
It will be saved, it will just not be runned by default. I would vote for a config flag to allow it, which would progressively be deprecated in
a non official plugin. ANd probably a "This notebook contain Javascript, Run It" ?

> Right now I spend all my time in Notebook, i.e. I wrote a script that converts notebooks to latex and I just write my papers in Notebook.

Have you tried nbconvert ? there is an  option for that, and we rally would like to push it forward and have testing and fixes.
We want the ability in the notebook to have a 'download as PDF', so we would love your input on that.

> It is nice since I see my math instantly, but I need to be able to embed some javascript that appears only in those notebooks that are really papers, e.g. to replace references or make highlights ( http://i46.tinypic.com/163qyg.png ).

Oh ! This is a highly customized notebook, I would like to see the code that does it.
It could become an extension and look definitively as things we want to do.

> Customjs is ok unless you send the notebook to someone and don't tell them they need to have it as well. I wanted something that produces output that is easily replicable.

Yes I do understand, but right now I can send you a notebook that does in js :
IPython.kernel.execute('rm -rf ~/')

You probably don't wan't that, and there are other security issues in js.

Also in the end, we could 'detect' that some cell have data that needs some plugin and in place of that show "you need FOO-Plugin, install ?"

I was skeptical in deprecating publishing JS, but after seen Brian D3 js demo and some though I do think it is the way to go.

I really hope we can find a way to solve all those things, and feedback like that where you have a real use case of
great things you want to to will be **really** helpfull in designing what have to be done.

--
Matthias


>
> Z wyrazami szacunku,
> Marcin Zamojski
>
>
> On Tue, Jan 8, 2013 at 8:56 PM, Matthias Bussonnier [via Python] <[hidden email]> wrote:
> Hi !
>
> It look really great :
>
> A few comment :
>
> Obstacle 1
> def x():
>         from IPython.core.display import Javascript
>         Javascript('alert("a")')
> x()
>
> you probably want to `return Javascript('alert("a")')`
> Am I wrong ?
>
>
> Obstacle 2:
>  same : `return HTML()` I guess...
>
> Please, please, please don't inline script.
> We will in anyway prevent script in output so this will become useless anyway.
> Which will deprecate _js_repr_ (at least make it useless) but Brian Json-handler branch
> ill work much better to do what you want.
>
> Obstacle 3/Obstacle 4
> Will be solve with brian Json Handler branch.
>
> You probably want to inject your own library in the notebook,
> which can be done via custom.js
>
> draft doc : http://elacave.lmdb.eu/~carreau/yui/classes/IPython.customjs.html
> use $.getScript(url)
> for example :
> $.getScript('d3.min.js') in you have d3.min.js in .ipython/profile_xxx/static/js/d3.min.js
>
> You might be interesting in
> http://epmoyer.github.com/ipy_table/
>
> To join effort.
>
> Thanks.
> --
> Matthias
>
>
>
>
> Le 8 janv. 2013 à 17:26, lecast a écrit :
>
> > This is a new thread but it is born out and related to a  previous discussion
> > <http://python.6.n6.nabble.com/experiment-remote-execution-of-jquery-and-d3-code-into-the-browser-via-ipython-td4633053.html#a4955237>
> > . The goal there was to live update figures created with d3js in IPython
> > Notebook. It was suggested that a solution would be to use widgets, which I
> > have to admit I did not have time to understand so instead I decided to
> > create something that produces the end product I was aiming at, i.e. take
> > output from Python, use d3js to create a table/figure, use some blackbox,
> > have the output visible in the notebook (or be able to save it elsewhere as
> > svg/html/png/etc).
> >
> > You can find an example notebook with a lot of custom tables and some
> > figures  here <http://nbviewer.ipython.org/4484816/ipyD3sample.ipynb>  .
> > They are all created based on data from Python, rendered in PhantomJs (in
> > that case I just copy the html, but PhantomJs allows for conversion to other
> > formats), and then published in the notebook.
> >
> > I created it for myself, so there is hardly any commenting in the file (I
> > know, bad), but I have been using it for a few months now and it works
> > really well. D3js has some great modern visualizations coded in and it takes
> > only a few days to learn the syntax by doing.
> >
> > Personally I think it would be really nice to make it into an
> > extension/package, but I lack experience/time to do that.
> >
> >
> >
> > --
> > View this message in context: http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661.html
> > Sent from the IPython - Development mailing list archive at Nabble.com.
> > _______________________________________________
> > IPython-dev mailing list
> > [hidden email]
> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
>
> If you reply to this email, your message will be added to the discussion below:
> http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661p5001692.html
> To unsubscribe from D3js and IPython, click here.
> NAML
>
>
> View this message in context: Re: D3js and IPython
> Sent from the IPython - Development mailing list archive at Nabble.com.
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev

_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

Brian Granger-3
In reply to this post by lecast
Using the JS Plugins branch, you can use the following model:

* Write a JS plugin that has all of the javascript code you need - you
can do whatever you want.
* That Js plugin will declare a handler for a particular type of data.
* You can then publish JSON data to that handler using appropriate Python calls.

You shouldn't ever need to use the existing Javascript object to write
your JS code.

Cheers,

Brian


On Tue, Jan 8, 2013 at 1:11 PM, lecast <[hidden email]> wrote:

> Thx. I will have a look at both the repository and the pull.
>
> Returning Javascript() or HTML() is not exactly what I need. In general I
> always need  to publish both html and javascript within a function so that
> function that would correspond to make_table() from ipy_table creates both
> the element and the script that populates that element. But this is mute
> here, since I couldn't find a way to copy final elements from the window and
> saving them in the notebook for good, the only thing that actually is saved
> is the final html object.
>
> I don't use inline JS anywhere there. But, if you prevent inline JS in
> output then you will also prevent a lot of interactivity on final output
> that e.g. d3 generates. I mean you need to be able to have things like
> onClick etc. But if you mean that you will prohibit me from saving
> javascript in any form in the notebook, then I will probably have to stop
> pulling the new versions... Right now I spend all my time in Notebook, i.e.
> I wrote a script that converts notebooks to latex and I just write my papers
> in Notebook. It is nice since I see my math instantly, but I need to be able
> to embed some javascript that appears only in those notebooks that are
> really papers, e.g. to replace references or make highlights (
> http://i46.tinypic.com/163qyg.png ).
>
> Customjs is ok unless you send the notebook to someone and don't tell them
> they need to have it as well. I wanted something that produces output that
> is easily replicable.
>
>
>
> Z wyrazami szacunku,
> Marcin Zamojski
>
>
> On Tue, Jan 8, 2013 at 8:56 PM, Matthias Bussonnier [via Python] <[hidden
> email]> wrote:
>>
>> Hi !
>>
>> It look really great :
>>
>> A few comment :
>>
>> Obstacle 1
>> def x():
>>         from IPython.core.display import Javascript
>>         Javascript('alert("a")')
>> x()
>>
>> you probably want to `return Javascript('alert("a")')`
>> Am I wrong ?
>>
>>
>> Obstacle 2:
>>  same : `return HTML()` I guess...
>>
>> Please, please, please don't inline script.
>> We will in anyway prevent script in output so this will become useless
>> anyway.
>> Which will deprecate _js_repr_ (at least make it useless) but Brian
>> Json-handler branch
>> ill work much better to do what you want.
>>
>> Obstacle 3/Obstacle 4
>> Will be solve with brian Json Handler branch.
>>
>> You probably want to inject your own library in the notebook,
>> which can be done via custom.js
>>
>> draft doc :
>> http://elacave.lmdb.eu/~carreau/yui/classes/IPython.customjs.html
>> use $.getScript(url)
>> for example :
>> $.getScript('d3.min.js') in you have d3.min.js in
>> .ipython/profile_xxx/static/js/d3.min.js
>>
>> You might be interesting in
>> http://epmoyer.github.com/ipy_table/
>>
>> To join effort.
>>
>> Thanks.
>> --
>> Matthias
>>
>>
>>
>>
>> Le 8 janv. 2013 à 17:26, lecast a écrit :
>>
>> > This is a new thread but it is born out and related to a  previous
>> > discussion
>> >
>> > <http://python.6.n6.nabble.com/experiment-remote-execution-of-jquery-and-d3-code-into-the-browser-via-ipython-td4633053.html#a4955237>
>> > . The goal there was to live update figures created with d3js in IPython
>> > Notebook. It was suggested that a solution would be to use widgets,
>> > which I
>> > have to admit I did not have time to understand so instead I decided to
>> > create something that produces the end product I was aiming at, i.e.
>> > take
>> > output from Python, use d3js to create a table/figure, use some
>> > blackbox,
>> > have the output visible in the notebook (or be able to save it elsewhere
>> > as
>> > svg/html/png/etc).
>> >
>> > You can find an example notebook with a lot of custom tables and some
>> > figures  here <http://nbviewer.ipython.org/4484816/ipyD3sample.ipynb>  .
>> > They are all created based on data from Python, rendered in PhantomJs
>> > (in
>> > that case I just copy the html, but PhantomJs allows for conversion to
>> > other
>> > formats), and then published in the notebook.
>> >
>> > I created it for myself, so there is hardly any commenting in the file
>> > (I
>> > know, bad), but I have been using it for a few months now and it works
>> > really well. D3js has some great modern visualizations coded in and it
>> > takes
>> > only a few days to learn the syntax by doing.
>> >
>> > Personally I think it would be really nice to make it into an
>> > extension/package, but I lack experience/time to do that.
>> >
>> >
>> >
>> > --
>> > View this message in context:
>> > http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661.html
>> > Sent from the IPython - Development mailing list archive at Nabble.com.
>> > _______________________________________________
>> > IPython-dev mailing list
>> > [hidden email]
>> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>>
>> _______________________________________________
>> IPython-dev mailing list
>> [hidden email]
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>>
>>
>> ________________________________
>> If you reply to this email, your message will be added to the discussion
>> below:
>> http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661p5001692.html
>> To unsubscribe from D3js and IPython, click here.
>> NAML
>
>
>
> ________________________________
> View this message in context: Re: D3js and IPython
>
> Sent from the IPython - Development mailing list archive at Nabble.com.
>
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>



--
Brian E. Granger
Cal Poly State University, San Luis Obispo
[hidden email] and [hidden email]
_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

MinRK


On Tue, Jan 8, 2013 at 2:04 PM, Brian Granger <[hidden email]> wrote:
Using the JS Plugins branch, you can use the following model:

* Write a JS plugin that has all of the javascript code you need - you
can do whatever you want.
* That Js plugin will declare a handler for a particular type of data.
* You can then publish JSON data to that handler using appropriate Python calls.

You shouldn't ever need to use the existing Javascript object to write
your JS code.

I don't think doing away with inline js is remotely feasible.
For security reasons, we have to make decisions like:

on load, do not run raw js, because it could do terrible things without the user being aware.

But removing the general ability to run js without installing new files on the nb *server* cannot possibly be the long-term solution.
 

Cheers,

Brian


On Tue, Jan 8, 2013 at 1:11 PM, lecast <[hidden email]> wrote:
> Thx. I will have a look at both the repository and the pull.
>
> Returning Javascript() or HTML() is not exactly what I need. In general I
> always need  to publish both html and javascript within a function so that
> function that would correspond to make_table() from ipy_table creates both
> the element and the script that populates that element. But this is mute
> here, since I couldn't find a way to copy final elements from the window and
> saving them in the notebook for good, the only thing that actually is saved
> is the final html object.
>
> I don't use inline JS anywhere there. But, if you prevent inline JS in
> output then you will also prevent a lot of interactivity on final output
> that e.g. d3 generates. I mean you need to be able to have things like
> onClick etc. But if you mean that you will prohibit me from saving
> javascript in any form in the notebook, then I will probably have to stop
> pulling the new versions... Right now I spend all my time in Notebook, i.e.
> I wrote a script that converts notebooks to latex and I just write my papers
> in Notebook. It is nice since I see my math instantly, but I need to be able
> to embed some javascript that appears only in those notebooks that are
> really papers, e.g. to replace references or make highlights (
> http://i46.tinypic.com/163qyg.png ).
>
> Customjs is ok unless you send the notebook to someone and don't tell them
> they need to have it as well. I wanted something that produces output that
> is easily replicable.
>
>
>
> Z wyrazami szacunku,
> Marcin Zamojski
>
>
> On Tue, Jan 8, 2013 at 8:56 PM, Matthias Bussonnier [via Python] <[hidden
> email]> wrote:
>>
>> Hi !
>>
>> It look really great :
>>
>> A few comment :
>>
>> Obstacle 1
>> def x():
>>         from IPython.core.display import Javascript
>>         Javascript('alert("a")')
>> x()
>>
>> you probably want to `return Javascript('alert("a")')`
>> Am I wrong ?
>>
>>
>> Obstacle 2:
>>  same : `return HTML()` I guess...
>>
>> Please, please, please don't inline script.
>> We will in anyway prevent script in output so this will become useless
>> anyway.
>> Which will deprecate _js_repr_ (at least make it useless) but Brian
>> Json-handler branch
>> ill work much better to do what you want.
>>
>> Obstacle 3/Obstacle 4
>> Will be solve with brian Json Handler branch.
>>
>> You probably want to inject your own library in the notebook,
>> which can be done via custom.js
>>
>> draft doc :
>> http://elacave.lmdb.eu/~carreau/yui/classes/IPython.customjs.html
>> use $.getScript(url)
>> for example :
>> $.getScript('d3.min.js') in you have d3.min.js in
>> .ipython/profile_xxx/static/js/d3.min.js
>>
>> You might be interesting in
>> http://epmoyer.github.com/ipy_table/
>>
>> To join effort.
>>
>> Thanks.
>> --
>> Matthias
>>
>>
>>
>>
>> Le 8 janv. 2013 à 17:26, lecast a écrit :
>>
>> > This is a new thread but it is born out and related to a  previous
>> > discussion
>> >
>> > <http://python.6.n6.nabble.com/experiment-remote-execution-of-jquery-and-d3-code-into-the-browser-via-ipython-td4633053.html#a4955237>
>> > . The goal there was to live update figures created with d3js in IPython
>> > Notebook. It was suggested that a solution would be to use widgets,
>> > which I
>> > have to admit I did not have time to understand so instead I decided to
>> > create something that produces the end product I was aiming at, i.e.
>> > take
>> > output from Python, use d3js to create a table/figure, use some
>> > blackbox,
>> > have the output visible in the notebook (or be able to save it elsewhere
>> > as
>> > svg/html/png/etc).
>> >
>> > You can find an example notebook with a lot of custom tables and some
>> > figures  here <http://nbviewer.ipython.org/4484816/ipyD3sample.ipynb>  .
>> > They are all created based on data from Python, rendered in PhantomJs
>> > (in
>> > that case I just copy the html, but PhantomJs allows for conversion to
>> > other
>> > formats), and then published in the notebook.
>> >
>> > I created it for myself, so there is hardly any commenting in the file
>> > (I
>> > know, bad), but I have been using it for a few months now and it works
>> > really well. D3js has some great modern visualizations coded in and it
>> > takes
>> > only a few days to learn the syntax by doing.
>> >
>> > Personally I think it would be really nice to make it into an
>> > extension/package, but I lack experience/time to do that.
>> >
>> >
>> >
>> > --
>> > View this message in context:
>> > http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661.html
>> > Sent from the IPython - Development mailing list archive at Nabble.com.
>> > _______________________________________________
>> > IPython-dev mailing list
>> > [hidden email]
>> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>>
>> _______________________________________________
>> IPython-dev mailing list
>> [hidden email]
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>>
>>
>> ________________________________
>> If you reply to this email, your message will be added to the discussion
>> below:
>> http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661p5001692.html
>> To unsubscribe from D3js and IPython, click here.
>> NAML
>
>
>
> ________________________________
> View this message in context: Re: D3js and IPython
>
> Sent from the IPython - Development mailing list archive at Nabble.com.
>
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>



--
Brian E. Granger
Cal Poly State University, San Luis Obispo
[hidden email] and [hidden email]
_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev


_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

Brian Granger-3
On Tue, Jan 8, 2013 at 2:09 PM, MinRK <[hidden email]> wrote:

>
>
> On Tue, Jan 8, 2013 at 2:04 PM, Brian Granger <[hidden email]> wrote:
>>
>> Using the JS Plugins branch, you can use the following model:
>>
>> * Write a JS plugin that has all of the javascript code you need - you
>> can do whatever you want.
>> * That Js plugin will declare a handler for a particular type of data.
>> * You can then publish JSON data to that handler using appropriate Python
>> calls.
>>
>> You shouldn't ever need to use the existing Javascript object to write
>> your JS code.
>
>
> I don't think doing away with inline js is remotely feasible.
> For security reasons, we have to make decisions like:
>
> on load, do not run raw js, because it could do terrible things without the
> user being aware.
>
> But removing the general ability to run js without installing new files on
> the nb *server* cannot possibly be the long-term solution.

Originally, I (obviously) thought this way.  But, as I have learned
more about the security vulnerabilities, I have become convinced that
this is the long term solution.  However, I am open to other solutions
that 1) completely remove the security risks and 2) don't involve
significant new complexities, such as requiring multiple domains and
iframes.  I should also note that I am open to the single user
notebook preserving this capability - but I am a little hesitant to
leave it enabled as it will encourage people to write Javascript code
in this way.

A separate issue is that actually writing Javascript code using the
old Javascript object is horrifically painful.  Errors get completely
swallowed and it is nearly impossible to figure out what is going on.
I think this is why very few people have actually done anything
significant with the Javascript object we currently have - it just
doesn't work very well.  On the other hand, developing the JS plugins,
gives the usual mostly pleasant development experience.

Cheers,

Brian

>>
>>
>> Cheers,
>>
>> Brian
>>
>>
>> On Tue, Jan 8, 2013 at 1:11 PM, lecast <[hidden email]> wrote:
>> > Thx. I will have a look at both the repository and the pull.
>> >
>> > Returning Javascript() or HTML() is not exactly what I need. In general
>> > I
>> > always need  to publish both html and javascript within a function so
>> > that
>> > function that would correspond to make_table() from ipy_table creates
>> > both
>> > the element and the script that populates that element. But this is mute
>> > here, since I couldn't find a way to copy final elements from the window
>> > and
>> > saving them in the notebook for good, the only thing that actually is
>> > saved
>> > is the final html object.
>> >
>> > I don't use inline JS anywhere there. But, if you prevent inline JS in
>> > output then you will also prevent a lot of interactivity on final output
>> > that e.g. d3 generates. I mean you need to be able to have things like
>> > onClick etc. But if you mean that you will prohibit me from saving
>> > javascript in any form in the notebook, then I will probably have to
>> > stop
>> > pulling the new versions... Right now I spend all my time in Notebook,
>> > i.e.
>> > I wrote a script that converts notebooks to latex and I just write my
>> > papers
>> > in Notebook. It is nice since I see my math instantly, but I need to be
>> > able
>> > to embed some javascript that appears only in those notebooks that are
>> > really papers, e.g. to replace references or make highlights (
>> > http://i46.tinypic.com/163qyg.png ).
>> >
>> > Customjs is ok unless you send the notebook to someone and don't tell
>> > them
>> > they need to have it as well. I wanted something that produces output
>> > that
>> > is easily replicable.
>> >
>> >
>> >
>> > Z wyrazami szacunku,
>> > Marcin Zamojski
>> >
>> >
>> > On Tue, Jan 8, 2013 at 8:56 PM, Matthias Bussonnier [via Python]
>> > <[hidden
>> > email]> wrote:
>> >>
>> >> Hi !
>> >>
>> >> It look really great :
>> >>
>> >> A few comment :
>> >>
>> >> Obstacle 1
>> >> def x():
>> >>         from IPython.core.display import Javascript
>> >>         Javascript('alert("a")')
>> >> x()
>> >>
>> >> you probably want to `return Javascript('alert("a")')`
>> >> Am I wrong ?
>> >>
>> >>
>> >> Obstacle 2:
>> >>  same : `return HTML()` I guess...
>> >>
>> >> Please, please, please don't inline script.
>> >> We will in anyway prevent script in output so this will become useless
>> >> anyway.
>> >> Which will deprecate _js_repr_ (at least make it useless) but Brian
>> >> Json-handler branch
>> >> ill work much better to do what you want.
>> >>
>> >> Obstacle 3/Obstacle 4
>> >> Will be solve with brian Json Handler branch.
>> >>
>> >> You probably want to inject your own library in the notebook,
>> >> which can be done via custom.js
>> >>
>> >> draft doc :
>> >> http://elacave.lmdb.eu/~carreau/yui/classes/IPython.customjs.html
>> >> use $.getScript(url)
>> >> for example :
>> >> $.getScript('d3.min.js') in you have d3.min.js in
>> >> .ipython/profile_xxx/static/js/d3.min.js
>> >>
>> >> You might be interesting in
>> >> http://epmoyer.github.com/ipy_table/
>> >>
>> >> To join effort.
>> >>
>> >> Thanks.
>> >> --
>> >> Matthias
>> >>
>> >>
>> >>
>> >>
>> >> Le 8 janv. 2013 à 17:26, lecast a écrit :
>> >>
>> >> > This is a new thread but it is born out and related to a  previous
>> >> > discussion
>> >> >
>> >> >
>> >> > <http://python.6.n6.nabble.com/experiment-remote-execution-of-jquery-and-d3-code-into-the-browser-via-ipython-td4633053.html#a4955237>
>> >> > . The goal there was to live update figures created with d3js in
>> >> > IPython
>> >> > Notebook. It was suggested that a solution would be to use widgets,
>> >> > which I
>> >> > have to admit I did not have time to understand so instead I decided
>> >> > to
>> >> > create something that produces the end product I was aiming at, i.e.
>> >> > take
>> >> > output from Python, use d3js to create a table/figure, use some
>> >> > blackbox,
>> >> > have the output visible in the notebook (or be able to save it
>> >> > elsewhere
>> >> > as
>> >> > svg/html/png/etc).
>> >> >
>> >> > You can find an example notebook with a lot of custom tables and some
>> >> > figures  here <http://nbviewer.ipython.org/4484816/ipyD3sample.ipynb>
>> >> > .
>> >> > They are all created based on data from Python, rendered in PhantomJs
>> >> > (in
>> >> > that case I just copy the html, but PhantomJs allows for conversion
>> >> > to
>> >> > other
>> >> > formats), and then published in the notebook.
>> >> >
>> >> > I created it for myself, so there is hardly any commenting in the
>> >> > file
>> >> > (I
>> >> > know, bad), but I have been using it for a few months now and it
>> >> > works
>> >> > really well. D3js has some great modern visualizations coded in and
>> >> > it
>> >> > takes
>> >> > only a few days to learn the syntax by doing.
>> >> >
>> >> > Personally I think it would be really nice to make it into an
>> >> > extension/package, but I lack experience/time to do that.
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > View this message in context:
>> >> > http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661.html
>> >> > Sent from the IPython - Development mailing list archive at
>> >> > Nabble.com.
>> >> > _______________________________________________
>> >> > IPython-dev mailing list
>> >> > [hidden email]
>> >> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>> >>
>> >> _______________________________________________
>> >> IPython-dev mailing list
>> >> [hidden email]
>> >> http://mail.scipy.org/mailman/listinfo/ipython-dev
>> >>
>> >>
>> >> ________________________________
>> >> If you reply to this email, your message will be added to the
>> >> discussion
>> >> below:
>> >> http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661p5001692.html
>> >> To unsubscribe from D3js and IPython, click here.
>> >> NAML
>> >
>> >
>> >
>> > ________________________________
>> > View this message in context: Re: D3js and IPython
>> >
>> > Sent from the IPython - Development mailing list archive at Nabble.com.
>> >
>> > _______________________________________________
>> > IPython-dev mailing list
>> > [hidden email]
>> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>> >
>>
>>
>>
>> --
>> Brian E. Granger
>> Cal Poly State University, San Luis Obispo
>> [hidden email] and [hidden email]
>> _______________________________________________
>> IPython-dev mailing list
>> [hidden email]
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
>
>
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>



--
Brian E. Granger
Cal Poly State University, San Luis Obispo
[hidden email] and [hidden email]
_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

MinRK


On Tue, Jan 8, 2013 at 4:18 PM, Brian Granger <[hidden email]> wrote:
On Tue, Jan 8, 2013 at 2:09 PM, MinRK <[hidden email]> wrote:
>
>
> On Tue, Jan 8, 2013 at 2:04 PM, Brian Granger <[hidden email]> wrote:
>>
>> Using the JS Plugins branch, you can use the following model:
>>
>> * Write a JS plugin that has all of the javascript code you need - you
>> can do whatever you want.
>> * That Js plugin will declare a handler for a particular type of data.
>> * You can then publish JSON data to that handler using appropriate Python
>> calls.
>>
>> You shouldn't ever need to use the existing Javascript object to write
>> your JS code.
>
>
> I don't think doing away with inline js is remotely feasible.
> For security reasons, we have to make decisions like:
>
> on load, do not run raw js, because it could do terrible things without the
> user being aware.
>
> But removing the general ability to run js without installing new files on
> the nb *server* cannot possibly be the long-term solution.

Originally, I (obviously) thought this way.  But, as I have learned
more about the security vulnerabilities, I have become convinced that
this is the long term solution.  However, I am open to other solutions
that 1) completely remove the security risks and 2) don't involve
significant new complexities, such as requiring multiple domains and
iframes.  I should also note that I am open to the single user
notebook preserving this capability - but I am a little hesitant to
leave it enabled as it will encourage people to write Javascript code
in this way.

I do appreciate the concern, and we need a solution to the issue.
I just don't think we have a complete one yet.
Right now, we have a supremely flexible (and thus insecure) situation,
whereas jsplugins-only is secure, but not remotely flexible from a user's perspective.

This is an extremely serious incapacitation of the notebook.
The trouble is that jsplugins is a relatively tolerable substitue
for the single-user notebook, but where the problem is worst
is when users don't actually have access to the server
to install jsplugins.  So it's precisely the case where we
would not allow custom js that jsplugins fail most dramatically
as a substitute.

Is it really our intention to require *server* installation of a plugin
for a user to gain access to a new widget? That seems to eliminate a *huge* portion of exactly what makes the notebook interesting.

If we have a way that js plugins can be loaded at runtime by the user without access to the server (presumably with a 'do you trust this guy?' confirmation),
then that would go a long way toward preventing the total castration of the notebook.
 

A separate issue is that actually writing Javascript code using the
old Javascript object is horrifically painful.  Errors get completely
swallowed and it is nearly impossible to figure out what is going on.
I think this is why very few people have actually done anything
significant with the Javascript object we currently have - it just
doesn't work very well.  On the other hand, developing the JS plugins,
gives the usual mostly pleasant development experience.

This isn't entirely accurate, as errors in js do show up in the notebook. Just try

%%javascript
a = doesnt_exist

But I do appreciate the pain - I've taken to writing new inline js code in .js files locally,
just so my editor can help me out, which is similar in practice to jsplugins and definitely an improvement over typing js in Python strings.


Cheers,

Brian

>>
>>
>> Cheers,
>>
>> Brian
>>
>>
>> On Tue, Jan 8, 2013 at 1:11 PM, lecast <[hidden email]> wrote:
>> > Thx. I will have a look at both the repository and the pull.
>> >
>> > Returning Javascript() or HTML() is not exactly what I need. In general
>> > I
>> > always need  to publish both html and javascript within a function so
>> > that
>> > function that would correspond to make_table() from ipy_table creates
>> > both
>> > the element and the script that populates that element. But this is mute
>> > here, since I couldn't find a way to copy final elements from the window
>> > and
>> > saving them in the notebook for good, the only thing that actually is
>> > saved
>> > is the final html object.
>> >
>> > I don't use inline JS anywhere there. But, if you prevent inline JS in
>> > output then you will also prevent a lot of interactivity on final output
>> > that e.g. d3 generates. I mean you need to be able to have things like
>> > onClick etc. But if you mean that you will prohibit me from saving
>> > javascript in any form in the notebook, then I will probably have to
>> > stop
>> > pulling the new versions... Right now I spend all my time in Notebook,
>> > i.e.
>> > I wrote a script that converts notebooks to latex and I just write my
>> > papers
>> > in Notebook. It is nice since I see my math instantly, but I need to be
>> > able
>> > to embed some javascript that appears only in those notebooks that are
>> > really papers, e.g. to replace references or make highlights (
>> > http://i46.tinypic.com/163qyg.png ).
>> >
>> > Customjs is ok unless you send the notebook to someone and don't tell
>> > them
>> > they need to have it as well. I wanted something that produces output
>> > that
>> > is easily replicable.
>> >
>> >
>> >
>> > Z wyrazami szacunku,
>> > Marcin Zamojski
>> >
>> >
>> > On Tue, Jan 8, 2013 at 8:56 PM, Matthias Bussonnier [via Python]
>> > <[hidden
>> > email]> wrote:
>> >>
>> >> Hi !
>> >>
>> >> It look really great :
>> >>
>> >> A few comment :
>> >>
>> >> Obstacle 1
>> >> def x():
>> >>         from IPython.core.display import Javascript
>> >>         Javascript('alert("a")')
>> >> x()
>> >>
>> >> you probably want to `return Javascript('alert("a")')`
>> >> Am I wrong ?
>> >>
>> >>
>> >> Obstacle 2:
>> >>  same : `return HTML()` I guess...
>> >>
>> >> Please, please, please don't inline script.
>> >> We will in anyway prevent script in output so this will become useless
>> >> anyway.
>> >> Which will deprecate _js_repr_ (at least make it useless) but Brian
>> >> Json-handler branch
>> >> ill work much better to do what you want.
>> >>
>> >> Obstacle 3/Obstacle 4
>> >> Will be solve with brian Json Handler branch.
>> >>
>> >> You probably want to inject your own library in the notebook,
>> >> which can be done via custom.js
>> >>
>> >> draft doc :
>> >> http://elacave.lmdb.eu/~carreau/yui/classes/IPython.customjs.html
>> >> use $.getScript(url)
>> >> for example :
>> >> $.getScript('d3.min.js') in you have d3.min.js in
>> >> .ipython/profile_xxx/static/js/d3.min.js
>> >>
>> >> You might be interesting in
>> >> http://epmoyer.github.com/ipy_table/
>> >>
>> >> To join effort.
>> >>
>> >> Thanks.
>> >> --
>> >> Matthias
>> >>
>> >>
>> >>
>> >>
>> >> Le 8 janv. 2013 à 17:26, lecast a écrit :
>> >>
>> >> > This is a new thread but it is born out and related to a  previous
>> >> > discussion
>> >> >
>> >> >
>> >> > <http://python.6.n6.nabble.com/experiment-remote-execution-of-jquery-and-d3-code-into-the-browser-via-ipython-td4633053.html#a4955237>
>> >> > . The goal there was to live update figures created with d3js in
>> >> > IPython
>> >> > Notebook. It was suggested that a solution would be to use widgets,
>> >> > which I
>> >> > have to admit I did not have time to understand so instead I decided
>> >> > to
>> >> > create something that produces the end product I was aiming at, i.e.
>> >> > take
>> >> > output from Python, use d3js to create a table/figure, use some
>> >> > blackbox,
>> >> > have the output visible in the notebook (or be able to save it
>> >> > elsewhere
>> >> > as
>> >> > svg/html/png/etc).
>> >> >
>> >> > You can find an example notebook with a lot of custom tables and some
>> >> > figures  here <http://nbviewer.ipython.org/4484816/ipyD3sample.ipynb>
>> >> > .
>> >> > They are all created based on data from Python, rendered in PhantomJs
>> >> > (in
>> >> > that case I just copy the html, but PhantomJs allows for conversion
>> >> > to
>> >> > other
>> >> > formats), and then published in the notebook.
>> >> >
>> >> > I created it for myself, so there is hardly any commenting in the
>> >> > file
>> >> > (I
>> >> > know, bad), but I have been using it for a few months now and it
>> >> > works
>> >> > really well. D3js has some great modern visualizations coded in and
>> >> > it
>> >> > takes
>> >> > only a few days to learn the syntax by doing.
>> >> >
>> >> > Personally I think it would be really nice to make it into an
>> >> > extension/package, but I lack experience/time to do that.
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > View this message in context:
>> >> > http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661.html
>> >> > Sent from the IPython - Development mailing list archive at
>> >> > Nabble.com.
>> >> > _______________________________________________
>> >> > IPython-dev mailing list
>> >> > [hidden email]
>> >> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>> >>
>> >> _______________________________________________
>> >> IPython-dev mailing list
>> >> [hidden email]
>> >> http://mail.scipy.org/mailman/listinfo/ipython-dev
>> >>
>> >>
>> >> ________________________________
>> >> If you reply to this email, your message will be added to the
>> >> discussion
>> >> below:
>> >> http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661p5001692.html
>> >> To unsubscribe from D3js and IPython, click here.
>> >> NAML
>> >
>> >
>> >
>> > ________________________________
>> > View this message in context: Re: D3js and IPython
>> >
>> > Sent from the IPython - Development mailing list archive at Nabble.com.
>> >
>> > _______________________________________________
>> > IPython-dev mailing list
>> > [hidden email]
>> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>> >
>>
>>
>>
>> --
>> Brian E. Granger
>> Cal Poly State University, San Luis Obispo
>> [hidden email] and [hidden email]
>> _______________________________________________
>> IPython-dev mailing list
>> [hidden email]
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
>
>
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>



--
Brian E. Granger
Cal Poly State University, San Luis Obispo
[hidden email] and [hidden email]
_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev


_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

Matthias Bussonnier

> I do appreciate the concern, and we need a solution to the issue.
> I just don't think we have a complete one yet.
> Right now, we have a supremely flexible (and thus insecure) situation,
> whereas jsplugins-only is secure, but not remotely flexible from a user's perspective.
>
> This is an extremely serious incapacitation of the notebook.
> The trouble is that jsplugins is a relatively tolerable substitue
> for the single-user notebook, but where the problem is worst
> is when users don't actually have access to the server
> to install jsplugins.  So it's precisely the case where we
> would not allow custom js that jsplugins fail most dramatically
> as a substitute.
>
> Is it really our intention to require *server* installation of a plugin
> for a user to gain access to a new widget? That seems to eliminate a *huge* portion of exactly what makes the notebook interesting.
>
> If we have a way that js plugins can be loaded at runtime by the user without access to the server (presumably with a 'do you trust this guy?' confirmation),
> then that would go a long way toward preventing the total castration of the notebook.
>  

The problem is that if we escape javascript in output to prevent js execution at load time we do make
injecting javascript **script tag** useless in markdown and cell ouput.

This is a slight difference than displaying javascript with the Javascript object that actually evaluate the string of code.
It is also dangerous in multi-user context, even if this javascript is not runned at load time.

I think that Json plugin are much better than current structure because one of the first plugin you can write can evaluate javascript
code, so it actually does the same as Javascript object.
But, If you design a custom plugin that deal with a specific type of json data, then you get the ability for this data to be used
at load time as the json repr is stored.

And I do agree that we need to give users a way to still display JS.

I still think we should **strongly** encourage them not to use Javascript object because of it's inherent evaluation
which is not stored. It is nice for prototyping, but it does more harm than anything for sharing.

Finally I suppose it will be doable and a good thing to develop the ability to plug those jsplugin to nbviewer.
--
Matthias



_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

lecast
I had a look at jsplugins and indeed it makes sense to use that in my context, although I would still keep my class for rendering static things or things that use css for interactivity.

However, the way I understand is that js in unwanted in the saved output because it may communicate with the kernel, and that in turn can do whatever. Wouldn't escaping just such calls be an option too?

For the jsplugins to work I think there should be an install function within IPython where you point at some url that hosts the plugin. And, there should be an easy way to extend plugins from within IPython so that the user doesn't have to have file system access to add a script.

Also, the base of the code for my papers-style notebooks that extracts footnotes is at http://nbviewer.ipython.org/4492534/

Z wyrazami szacunku,
Marcin Zamojski


On Wed, Jan 9, 2013 at 8:37 AM, Matthias Bussonnier [via Python] <[hidden email]> wrote:

> I do appreciate the concern, and we need a solution to the issue.
> I just don't think we have a complete one yet.
> Right now, we have a supremely flexible (and thus insecure) situation,
> whereas jsplugins-only is secure, but not remotely flexible from a user's perspective.
>
> This is an extremely serious incapacitation of the notebook.
> The trouble is that jsplugins is a relatively tolerable substitue
> for the single-user notebook, but where the problem is worst
> is when users don't actually have access to the server
> to install jsplugins.  So it's precisely the case where we
> would not allow custom js that jsplugins fail most dramatically
> as a substitute.
>
> Is it really our intention to require *server* installation of a plugin
> for a user to gain access to a new widget? That seems to eliminate a *huge* portion of exactly what makes the notebook interesting.
>
> If we have a way that js plugins can be loaded at runtime by the user without access to the server (presumably with a 'do you trust this guy?' confirmation),
> then that would go a long way toward preventing the total castration of the notebook.
>  
The problem is that if we escape javascript in output to prevent js execution at load time we do make
injecting javascript **script tag** useless in markdown and cell ouput.

This is a slight difference than displaying javascript with the Javascript object that actually evaluate the string of code.
It is also dangerous in multi-user context, even if this javascript is not runned at load time.

I think that Json plugin are much better than current structure because one of the first plugin you can write can evaluate javascript
code, so it actually does the same as Javascript object.
But, If you design a custom plugin that deal with a specific type of json data, then you get the ability for this data to be used
at load time as the json repr is stored.

And I do agree that we need to give users a way to still display JS.

I still think we should **strongly** encourage them not to use Javascript object because of it's inherent evaluation
which is not stored. It is nice for prototyping, but it does more harm than anything for sharing.

Finally I suppose it will be doable and a good thing to develop the ability to plug those jsplugin to nbviewer.
--
Matthias



_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev



If you reply to this email, your message will be added to the discussion below:
http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661p5001731.html
To unsubscribe from D3js and IPython, click here.
NAML

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

Matthias Bussonnier

Le 9 janv. 2013 à 12:57, lecast a écrit :

I had a look at jsplugins and indeed it makes sense to use that in my context, although I would still keep my class for rendering static things or things that use css for interactivity.

However, the way I understand is that js in unwanted in the saved output because it may communicate with the kernel, and that in turn can do whatever.


Wouldn't escaping just such calls be an option too?

I'm not sure I understand the question here. 
Removing js evaluation and injection of script tag through IPython is not enough as one can actually forge
a file that have embedded js. So we need to be carefull

For the jsplugins to work I think there should be an install function within IPython where you point at some url that hosts the plugin.
And, there should be an easy way to extend plugins from within IPython so that the user doesn't have to have file system access to add a script.

Yes, sure. Plugin will probably be mostly js that can be served from urls. So that shouldn't be too hard. 
But I'm not sure user can have IPython access without filesystem access. I don't really see the point of 
an online computing software if you can't store data or save your notebook... 

Also, the base of the code for my papers-style notebooks that extracts footnotes is at http://nbviewer.ipython.org/4492534/

Great ! I'll have a look. 
-- 
Matthias

_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

MinRK


On Jan 9, 2013, at 9:13, Matthias BUSSONNIER <[hidden email]> wrote:


Le 9 janv. 2013 à 12:57, lecast a écrit :

I had a look at jsplugins and indeed it makes sense to use that in my context, although I would still keep my class for rendering static things or things that use css for interactivity.

However, the way I understand is that js in unwanted in the saved output because it may communicate with the kernel, and that in turn can do whatever.


Wouldn't escaping just such calls be an option too?

I'm not sure I understand the question here. 
Removing js evaluation and injection of script tag through IPython is not enough as one can actually forge
a file that have embedded js. So we need to be carefull

For the jsplugins to work I think there should be an install function within IPython where you point at some url that hosts the plugin.
And, there should be an easy way to extend plugins from within IPython so that the user doesn't have to have file system access to add a script.

Yes, sure. Plugin will probably be mostly js that can be served from urls. So that shouldn't be too hard. 
But I'm not sure user can have IPython access without filesystem access. I don't really see the point of 
an online computing software if you can't store data or save your notebook... 

You forget that notebook / kernel access and *server* filesystem access are not going to be the same thing for long.  For multiuser, it is a safe assumption that n-1 users will *not* have access to installing js plugins (not to mention the fact that current design requires nb server restart, which users also do not have permissions to do).


Also, the base of the code for my papers-style notebooks that extracts footnotes is at http://nbviewer.ipython.org/4492534/

Great ! I'll have a look. 
-- 
Matthias
_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev

_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

Matthias Bussonnier

Le 9 janv. 2013 à 19:32, Min RK a écrit :

> You forget that notebook / kernel access and *server* filesystem access are not going to be the same thing for long.  For multiuser, it is a safe assumption that n-1 users will *not* have access to installing js plugins (not to mention the fact that current design requires nb server restart, which users also do not have permissions to do).

I was more thinking of profile directory.
I though profile would be writable to allow custom config...
And ipynb files are not on kernel side either...

You really can't do much with only kernel side...

As for the JS plugin I though the reloading would be on page reload not server-restart.
I'll try to look at that again.

--
Matthias

_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

MinRK


On Wed, Jan 9, 2013 at 10:43 AM, Matthias BUSSONNIER <[hidden email]> wrote:

Le 9 janv. 2013 à 19:32, Min RK a écrit :

> You forget that notebook / kernel access and *server* filesystem access are not going to be the same thing for long.  For multiuser, it is a safe assumption that n-1 users will *not* have access to installing js plugins (not to mention the fact that current design requires nb server restart, which users also do not have permissions to do).

I was more thinking of profile directory.
I though profile would be writable to allow custom config...
And ipynb files are not on kernel side either...

You really can't do much with only kernel side...

And that's exactly the point - an important user case in the long term (students, non-admin users in multi-user deployment, etc.)
will have no access to the notebook *server's* profile / config.
Any time we make decisions that require nb-server config,
we have to take this into account.  We have to be aware that we are adding configuration decisions that admins have to make on behalf of users.
That's not to say this is necessarily inappropriate, but it sucks a lot for admins and users alike, so we have to be careful.
 

As for the JS plugin I though the reloading would be on page reload not server-restart.
I'll try to look at that again.

I think it constructs the list when it first renders the page template - it shouldn't be tricky to rebuild the list.
That's not a particularly important point (though we should make the change if my memory was correct).
 

--
Matthias

_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev


_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

Brian Granger-3
In reply to this post by MinRK
> I do appreciate the concern, and we need a solution to the issue.
> I just don't think we have a complete one yet.
> Right now, we have a supremely flexible (and thus insecure) situation,
> whereas jsplugins-only is secure, but not remotely flexible from a user's
> perspective.
>
> This is an extremely serious incapacitation of the notebook.
> The trouble is that jsplugins is a relatively tolerable substitue
> for the single-user notebook, but where the problem is worst
> is when users don't actually have access to the server
> to install jsplugins.  So it's precisely the case where we
> would not allow custom js that jsplugins fail most dramatically
> as a substitute.

Yes, the jsplugins do represent a problem in multiuser settings where
each user might way different plugins installed.  It is also difficult
to have to involve the server admin to install things like this.  At
the same time, the same server admin would have to be involved if a
user wanted to install a new python package, so maybe there is not
that big of a difference.

> Is it really our intention to require *server* installation of a plugin
> for a user to gain access to a new widget? That seems to eliminate a *huge*
> portion of exactly what makes the notebook interesting.

The *idea* was to use the server side install requirement as the step
that says "I trust this code."  If we can implement that check in a
robust way that people won't step over without really understanding
what they are doing, that would be great.

> If we have a way that js plugins can be loaded at runtime by the user
> without access to the server (presumably with a 'do you trust this guy?'
> confirmation),
> then that would go a long way toward preventing the total castration of the
> notebook.

We should definitely think about that, as it might provide a nice
balance of the two options.

>>
>>
>> A separate issue is that actually writing Javascript code using the
>> old Javascript object is horrifically painful.  Errors get completely
>> swallowed and it is nearly impossible to figure out what is going on.
>> I think this is why very few people have actually done anything
>> significant with the Javascript object we currently have - it just
>> doesn't work very well.  On the other hand, developing the JS plugins,
>> gives the usual mostly pleasant development experience.
>
>
> This isn't entirely accurate, as errors in js do show up in the notebook.
> Just try
>
> %%javascript
> a = doesnt_exist

Some errors do show up - but many others do not.  I have never been
able to figure out which do and which don't.  When I have encountered
silent errors, in some cases I could never find them and had to
rewrite the code carefully from scratch.  Eventually they disappeared.

> But I do appreciate the pain - I've taken to writing new inline js code in
> .js files locally,
> just so my editor can help me out, which is similar in practice to jsplugins
> and definitely an improvement over typing js in Python strings.

Yes, I have done this as well and it helps somethings.

Cheers,

Brian

>>
>> Cheers,
>>
>> Brian
>>
>> >>
>> >>
>> >> Cheers,
>> >>
>> >> Brian
>> >>
>> >>
>> >> On Tue, Jan 8, 2013 at 1:11 PM, lecast <[hidden email]> wrote:
>> >> > Thx. I will have a look at both the repository and the pull.
>> >> >
>> >> > Returning Javascript() or HTML() is not exactly what I need. In
>> >> > general
>> >> > I
>> >> > always need  to publish both html and javascript within a function so
>> >> > that
>> >> > function that would correspond to make_table() from ipy_table creates
>> >> > both
>> >> > the element and the script that populates that element. But this is
>> >> > mute
>> >> > here, since I couldn't find a way to copy final elements from the
>> >> > window
>> >> > and
>> >> > saving them in the notebook for good, the only thing that actually is
>> >> > saved
>> >> > is the final html object.
>> >> >
>> >> > I don't use inline JS anywhere there. But, if you prevent inline JS
>> >> > in
>> >> > output then you will also prevent a lot of interactivity on final
>> >> > output
>> >> > that e.g. d3 generates. I mean you need to be able to have things
>> >> > like
>> >> > onClick etc. But if you mean that you will prohibit me from saving
>> >> > javascript in any form in the notebook, then I will probably have to
>> >> > stop
>> >> > pulling the new versions... Right now I spend all my time in
>> >> > Notebook,
>> >> > i.e.
>> >> > I wrote a script that converts notebooks to latex and I just write my
>> >> > papers
>> >> > in Notebook. It is nice since I see my math instantly, but I need to
>> >> > be
>> >> > able
>> >> > to embed some javascript that appears only in those notebooks that
>> >> > are
>> >> > really papers, e.g. to replace references or make highlights (
>> >> > http://i46.tinypic.com/163qyg.png ).
>> >> >
>> >> > Customjs is ok unless you send the notebook to someone and don't tell
>> >> > them
>> >> > they need to have it as well. I wanted something that produces output
>> >> > that
>> >> > is easily replicable.
>> >> >
>> >> >
>> >> >
>> >> > Z wyrazami szacunku,
>> >> > Marcin Zamojski
>> >> >
>> >> >
>> >> > On Tue, Jan 8, 2013 at 8:56 PM, Matthias Bussonnier [via Python]
>> >> > <[hidden
>> >> > email]> wrote:
>> >> >>
>> >> >> Hi !
>> >> >>
>> >> >> It look really great :
>> >> >>
>> >> >> A few comment :
>> >> >>
>> >> >> Obstacle 1
>> >> >> def x():
>> >> >>         from IPython.core.display import Javascript
>> >> >>         Javascript('alert("a")')
>> >> >> x()
>> >> >>
>> >> >> you probably want to `return Javascript('alert("a")')`
>> >> >> Am I wrong ?
>> >> >>
>> >> >>
>> >> >> Obstacle 2:
>> >> >>  same : `return HTML()` I guess...
>> >> >>
>> >> >> Please, please, please don't inline script.
>> >> >> We will in anyway prevent script in output so this will become
>> >> >> useless
>> >> >> anyway.
>> >> >> Which will deprecate _js_repr_ (at least make it useless) but Brian
>> >> >> Json-handler branch
>> >> >> ill work much better to do what you want.
>> >> >>
>> >> >> Obstacle 3/Obstacle 4
>> >> >> Will be solve with brian Json Handler branch.
>> >> >>
>> >> >> You probably want to inject your own library in the notebook,
>> >> >> which can be done via custom.js
>> >> >>
>> >> >> draft doc :
>> >> >> http://elacave.lmdb.eu/~carreau/yui/classes/IPython.customjs.html
>> >> >> use $.getScript(url)
>> >> >> for example :
>> >> >> $.getScript('d3.min.js') in you have d3.min.js in
>> >> >> .ipython/profile_xxx/static/js/d3.min.js
>> >> >>
>> >> >> You might be interesting in
>> >> >> http://epmoyer.github.com/ipy_table/
>> >> >>
>> >> >> To join effort.
>> >> >>
>> >> >> Thanks.
>> >> >> --
>> >> >> Matthias
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> Le 8 janv. 2013 à 17:26, lecast a écrit :
>> >> >>
>> >> >> > This is a new thread but it is born out and related to a  previous
>> >> >> > discussion
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > <http://python.6.n6.nabble.com/experiment-remote-execution-of-jquery-and-d3-code-into-the-browser-via-ipython-td4633053.html#a4955237>
>> >> >> > . The goal there was to live update figures created with d3js in
>> >> >> > IPython
>> >> >> > Notebook. It was suggested that a solution would be to use
>> >> >> > widgets,
>> >> >> > which I
>> >> >> > have to admit I did not have time to understand so instead I
>> >> >> > decided
>> >> >> > to
>> >> >> > create something that produces the end product I was aiming at,
>> >> >> > i.e.
>> >> >> > take
>> >> >> > output from Python, use d3js to create a table/figure, use some
>> >> >> > blackbox,
>> >> >> > have the output visible in the notebook (or be able to save it
>> >> >> > elsewhere
>> >> >> > as
>> >> >> > svg/html/png/etc).
>> >> >> >
>> >> >> > You can find an example notebook with a lot of custom tables and
>> >> >> > some
>> >> >> > figures  here
>> >> >> > <http://nbviewer.ipython.org/4484816/ipyD3sample.ipynb>
>> >> >> > .
>> >> >> > They are all created based on data from Python, rendered in
>> >> >> > PhantomJs
>> >> >> > (in
>> >> >> > that case I just copy the html, but PhantomJs allows for
>> >> >> > conversion
>> >> >> > to
>> >> >> > other
>> >> >> > formats), and then published in the notebook.
>> >> >> >
>> >> >> > I created it for myself, so there is hardly any commenting in the
>> >> >> > file
>> >> >> > (I
>> >> >> > know, bad), but I have been using it for a few months now and it
>> >> >> > works
>> >> >> > really well. D3js has some great modern visualizations coded in
>> >> >> > and
>> >> >> > it
>> >> >> > takes
>> >> >> > only a few days to learn the syntax by doing.
>> >> >> >
>> >> >> > Personally I think it would be really nice to make it into an
>> >> >> > extension/package, but I lack experience/time to do that.
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > View this message in context:
>> >> >> > http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661.html
>> >> >> > Sent from the IPython - Development mailing list archive at
>> >> >> > Nabble.com.
>> >> >> > _______________________________________________
>> >> >> > IPython-dev mailing list
>> >> >> > [hidden email]
>> >> >> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>> >> >>
>> >> >> _______________________________________________
>> >> >> IPython-dev mailing list
>> >> >> [hidden email]
>> >> >> http://mail.scipy.org/mailman/listinfo/ipython-dev
>> >> >>
>> >> >>
>> >> >> ________________________________
>> >> >> If you reply to this email, your message will be added to the
>> >> >> discussion
>> >> >> below:
>> >> >>
>> >> >> http://python.6.n6.nabble.com/D3js-and-IPython-tp5001661p5001692.html
>> >> >> To unsubscribe from D3js and IPython, click here.
>> >> >> NAML
>> >> >
>> >> >
>> >> >
>> >> > ________________________________
>> >> > View this message in context: Re: D3js and IPython
>> >> >
>> >> > Sent from the IPython - Development mailing list archive at
>> >> > Nabble.com.
>> >> >
>> >> > _______________________________________________
>> >> > IPython-dev mailing list
>> >> > [hidden email]
>> >> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Brian E. Granger
>> >> Cal Poly State University, San Luis Obispo
>> >> [hidden email] and [hidden email]
>> >> _______________________________________________
>> >> IPython-dev mailing list
>> >> [hidden email]
>> >> http://mail.scipy.org/mailman/listinfo/ipython-dev
>> >
>> >
>> >
>> > _______________________________________________
>> > IPython-dev mailing list
>> > [hidden email]
>> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>> >
>>
>>
>>
>> --
>> Brian E. Granger
>> Cal Poly State University, San Luis Obispo
>> [hidden email] and [hidden email]
>> _______________________________________________
>> IPython-dev mailing list
>> [hidden email]
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
>
>
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>



--
Brian E. Granger
Cal Poly State University, San Luis Obispo
[hidden email] and [hidden email]
_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

Brian Granger-3
In reply to this post by Matthias Bussonnier
On Tue, Jan 8, 2013 at 11:37 PM, Matthias BUSSONNIER
<[hidden email]> wrote:

>
>> I do appreciate the concern, and we need a solution to the issue.
>> I just don't think we have a complete one yet.
>> Right now, we have a supremely flexible (and thus insecure) situation,
>> whereas jsplugins-only is secure, but not remotely flexible from a user's perspective.
>>
>> This is an extremely serious incapacitation of the notebook.
>> The trouble is that jsplugins is a relatively tolerable substitue
>> for the single-user notebook, but where the problem is worst
>> is when users don't actually have access to the server
>> to install jsplugins.  So it's precisely the case where we
>> would not allow custom js that jsplugins fail most dramatically
>> as a substitute.
>>
>> Is it really our intention to require *server* installation of a plugin
>> for a user to gain access to a new widget? That seems to eliminate a *huge* portion of exactly what makes the notebook interesting.
>>
>> If we have a way that js plugins can be loaded at runtime by the user without access to the server (presumably with a 'do you trust this guy?' confirmation),
>> then that would go a long way toward preventing the total castration of the notebook.
>>
>
> The problem is that if we escape javascript in output to prevent js execution at load time we do make
> injecting javascript **script tag** useless in markdown and cell ouput.

I don't see any way that we can allow <script> tags in markdown and
HTML output.  Those is the most dangerous case as they are run at
notebook load time and there is no hook for us to prevent that.  All
we can do it strip them.

> This is a slight difference than displaying javascript with the Javascript object that actually evaluate the string of code.
> It is also dangerous in multi-user context, even if this javascript is not runned at load time.
>
> I think that Json plugin are much better than current structure because one of the first plugin you can write can evaluate javascript
> code, so it actually does the same as Javascript object.
> But, If you design a custom plugin that deal with a specific type of json data, then you get the ability for this data to be used
> at load time as the json repr is stored.
>
> And I do agree that we need to give users a way to still display JS.
>
> I still think we should **strongly** encourage them not to use Javascript object because of it's inherent evaluation
> which is not stored. It is nice for prototyping, but it does more harm than anything for sharing.
>
> Finally I suppose it will be doable and a good thing to develop the ability to plug those jsplugin to nbviewer.

Yes, I agree.

> --
> Matthias
>
>
>
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev



--
Brian E. Granger
Cal Poly State University, San Luis Obispo
[hidden email] and [hidden email]
_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

MinRK


On Wed, Jan 9, 2013 at 2:21 PM, Brian Granger <[hidden email]> wrote:
On Tue, Jan 8, 2013 at 11:37 PM, Matthias BUSSONNIER
<[hidden email]> wrote:
>
>> I do appreciate the concern, and we need a solution to the issue.
>> I just don't think we have a complete one yet.
>> Right now, we have a supremely flexible (and thus insecure) situation,
>> whereas jsplugins-only is secure, but not remotely flexible from a user's perspective.
>>
>> This is an extremely serious incapacitation of the notebook.
>> The trouble is that jsplugins is a relatively tolerable substitue
>> for the single-user notebook, but where the problem is worst
>> is when users don't actually have access to the server
>> to install jsplugins.  So it's precisely the case where we
>> would not allow custom js that jsplugins fail most dramatically
>> as a substitute.
>>
>> Is it really our intention to require *server* installation of a plugin
>> for a user to gain access to a new widget? That seems to eliminate a *huge* portion of exactly what makes the notebook interesting.
>>
>> If we have a way that js plugins can be loaded at runtime by the user without access to the server (presumably with a 'do you trust this guy?' confirmation),
>> then that would go a long way toward preventing the total castration of the notebook.
>>
>
> The problem is that if we escape javascript in output to prevent js execution at load time we do make
> injecting javascript **script tag** useless in markdown and cell ouput.

I don't see any way that we can allow <script> tags in markdown and
HTML output.  Those is the most dangerous case as they are run at
notebook load time and there is no hook for us to prevent that.  All
we can do it strip them.

I really can't imagine that it will come to this - you are talking about disabling pandas table printing,
and simple rich text reprs.  That doesn't seem tenable.  It's also disabling sized images, since our message spec so far has foolishly excluded shape information for images, etc, or the ability to display any kind of formatting (e.g. two images side-by-side).

We should be able to sanitize Javascript from HTML - both in rendered markdown and HTML output data. This, in turn, could allow script detection and give an 'unsafe dynamic content, only allow if you trust...' message.

The cost of what you are proposing is *extremely* high.
 

> This is a slight difference than displaying javascript with the Javascript object that actually evaluate the string of code.
> It is also dangerous in multi-user context, even if this javascript is not runned at load time.
>
> I think that Json plugin are much better than current structure because one of the first plugin you can write can evaluate javascript
> code, so it actually does the same as Javascript object.
> But, If you design a custom plugin that deal with a specific type of json data, then you get the ability for this data to be used
> at load time as the json repr is stored.
>
> And I do agree that we need to give users a way to still display JS.
>
> I still think we should **strongly** encourage them not to use Javascript object because of it's inherent evaluation
> which is not stored. It is nice for prototyping, but it does more harm than anything for sharing.
>
> Finally I suppose it will be doable and a good thing to develop the ability to plug those jsplugin to nbviewer.

Yes, I agree.

> --
> Matthias
>
>
>
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev



--
Brian E. Granger
Cal Poly State University, San Luis Obispo
[hidden email] and [hidden email]
_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev


_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

Brian Granger-3
> I really can't imagine that it will come to this - you are talking about
> disabling pandas table printing,
> and simple rich text reprs.  That doesn't seem tenable.  It's also disabling
> sized images, since our message spec so far has foolishly excluded shape
> information for images, etc, or the ability to display any kind of
> formatting (e.g. two images side-by-side).

Sorry I wasn't clear.  I meant to just remove the <script> tags, not
all of the HTML ouput.  In your language "sanitize" it.

> We should be able to sanitize Javascript from HTML - both in rendered
> markdown and HTML output data. This, in turn, could allow script detection
> and give an 'unsafe dynamic content, only allow if you trust...' message.

Yep.

Brian

> The cost of what you are proposing is *extremely* high.
>
>>
>>
>> > This is a slight difference than displaying javascript with the
>> > Javascript object that actually evaluate the string of code.
>> > It is also dangerous in multi-user context, even if this javascript is
>> > not runned at load time.
>> >
>> > I think that Json plugin are much better than current structure because
>> > one of the first plugin you can write can evaluate javascript
>> > code, so it actually does the same as Javascript object.
>> > But, If you design a custom plugin that deal with a specific type of
>> > json data, then you get the ability for this data to be used
>> > at load time as the json repr is stored.
>> >
>> > And I do agree that we need to give users a way to still display JS.
>> >
>> > I still think we should **strongly** encourage them not to use
>> > Javascript object because of it's inherent evaluation
>> > which is not stored. It is nice for prototyping, but it does more harm
>> > than anything for sharing.
>> >
>> > Finally I suppose it will be doable and a good thing to develop the
>> > ability to plug those jsplugin to nbviewer.
>>
>> Yes, I agree.
>>
>> > --
>> > Matthias
>> >
>> >
>> >
>> > _______________________________________________
>> > IPython-dev mailing list
>> > [hidden email]
>> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>>
>>
>>
>> --
>> Brian E. Granger
>> Cal Poly State University, San Luis Obispo
>> [hidden email] and [hidden email]
>> _______________________________________________
>> IPython-dev mailing list
>> [hidden email]
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
>
>
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>



--
Brian E. Granger
Cal Poly State University, San Luis Obispo
[hidden email] and [hidden email]
_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: D3js and IPython

MinRK


On Wed, Jan 9, 2013 at 4:49 PM, Brian Granger <[hidden email]> wrote:
> I really can't imagine that it will come to this - you are talking about
> disabling pandas table printing,
> and simple rich text reprs.  That doesn't seem tenable.  It's also disabling
> sized images, since our message spec so far has foolishly excluded shape
> information for images, etc, or the ability to display any kind of
> formatting (e.g. two images side-by-side).

Sorry I wasn't clear.  I meant to just remove the <script> tags, not
all of the HTML ouput.  In your language "sanitize" it.

> We should be able to sanitize Javascript from HTML - both in rendered
> markdown and HTML output data. This, in turn, could allow script detection
> and give an 'unsafe dynamic content, only allow if you trust...' message.

Yep.

Ah, sorry I misunderstood.  I thought you were saying we were going to remove HTML reprs entirely,
not scrub javascript from existing HTML reprs.  I still think we might want to have a warn/allow mechanism,
rather than a strict 'no js' policy, but 90% of the work for those two is actually the same,
so we can fight over that molehill when we get there :)
 

Brian

> The cost of what you are proposing is *extremely* high.
>
>>
>>
>> > This is a slight difference than displaying javascript with the
>> > Javascript object that actually evaluate the string of code.
>> > It is also dangerous in multi-user context, even if this javascript is
>> > not runned at load time.
>> >
>> > I think that Json plugin are much better than current structure because
>> > one of the first plugin you can write can evaluate javascript
>> > code, so it actually does the same as Javascript object.
>> > But, If you design a custom plugin that deal with a specific type of
>> > json data, then you get the ability for this data to be used
>> > at load time as the json repr is stored.
>> >
>> > And I do agree that we need to give users a way to still display JS.
>> >
>> > I still think we should **strongly** encourage them not to use
>> > Javascript object because of it's inherent evaluation
>> > which is not stored. It is nice for prototyping, but it does more harm
>> > than anything for sharing.
>> >
>> > Finally I suppose it will be doable and a good thing to develop the
>> > ability to plug those jsplugin to nbviewer.
>>
>> Yes, I agree.
>>
>> > --
>> > Matthias
>> >
>> >
>> >
>> > _______________________________________________
>> > IPython-dev mailing list
>> > [hidden email]
>> > http://mail.scipy.org/mailman/listinfo/ipython-dev
>>
>>
>>
>> --
>> Brian E. Granger
>> Cal Poly State University, San Luis Obispo
>> [hidden email] and [hidden email]
>> _______________________________________________
>> IPython-dev mailing list
>> [hidden email]
>> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
>
>
> _______________________________________________
> IPython-dev mailing list
> [hidden email]
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>



--
Brian E. Granger
Cal Poly State University, San Luis Obispo
[hidden email] and [hidden email]
_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev


_______________________________________________
IPython-dev mailing list
[hidden email]
http://mail.scipy.org/mailman/listinfo/ipython-dev
Loading...