Only the html() output is run through lxml, not the whole worksheet. Indeed we do want to allow the Sage server to put javascript into the notebook. So to clarify: Only html() output injected by the user into the notebook is sanitized and stripped of styles.
On Saturday, October 6, 2012 7:24:13 PM UTC+1, Andrea Lazzarotto wrote: > > > > 2012/10/6 Volker Braun <vbrau...@gmail.com <javascript:>> > >> But we use none of that since Jason's patch explicitly removes all style >> tags. > > > What about style attributes? > > -- > *Andrea Lazzarotto* - http://andrealazzarotto.com* > * > -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To post to this group, send email to sage-devel@googlegroups.com. To unsubscribe from this group, send email to sage-devel+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/sage-devel?hl=en.
