Apparently in response to https://nvd.nist.gov/vuln/detail/CVE-2021-32798, the jupyter notebook maintainers have chosen to implement markdown sanitization in all notebooks >=6.4.1 that completely strips all html styling. This breaks most of my educational notebooks, which use styling beyond what markdown is capable of.
I would suggest this should be discussed and think that one of the following approaches might be better: 1. Create a blacklist of the html elements (eg. <form>, <button>, <script>) that will be stripped. Leave everything else. Make it very clear that they will be stripped. They should probably be deleted from the markdown code. 2. Create a whitelist of things allowed (eg. allow style, but not onclick, onload, etc..). This is probably harder, unless there is truly only a limited set that is safe. This may require limiting to style features, like margins, colors, backgrounds, and element sizing/placement. 3. Behave more like code cells. Accept anything, but do not process them unless the user explicitly trusts the notebook. Can somebody explain why it is necessary to completely remove the capability to use html styling in markdown cells? It seems to me there ought to be an alternative. Regards, Jonathan -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/aa4a69f7-c4ce-46d9-ac43-246e137128d0n%40googlegroups.com.
