-
-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JupyterLab removing HTML style attribs #1812
Comments
Thanks @AbdealiJK, it looks like we need to add |
@blink1073 Could the style tag be added as allowed for all tags ? Doing a style for a |
I think we can generally support the |
Did a quick analysis of the tags we allow and the tags that Jupyter Notebook allows - As I'm assuming we want feature parity. Here's a summary: Tags
Note: The google-caja list can be gotten in Jupyter Notebook JS console with: for (var key in Jupyter.security.caja.html4.ELEMENTS) { if (!(Jupyter.security.caja.html4.ELEMENTS[key] & Jupyter.security.caja.html4.eflags.UNSAFE)) {console.log(key)}; } From all the tags that google-caja knows of, it marks the following as unsafe: base, basefont, body, dialog, frame, frameset, head, html, isindex, keygen, link, meta, noembed, noframes, noscript, object, param, script, style, title |
Let me know if we want all of these. i can also check which attributes in each of these are allowed in google-caja. Do we want to use google-caja in JLab to get this list ? or should we write our own list using google-caja as reference ? EDIT: Here's what caja does with attributes - http://pastebin.com/RMkxkYDE Jupyter Notebook allows all data-* attributed on top of this list and also allows img::src even if it's not parseable so that data uri are accepted |
Could you point me to which googlecaja we would like to use in npm? There seem to be many packages that create a npm bundle out of it. |
Looking at this more, I'm not sure there is much we can do until googlearchive/caja#1977 is fixed. I'd prefer to err on the side of over-sanitizing rather than use an unsupported sanitization library. However, I think we can welcome a PR that makes the HTML tag handling consistent with the classic notebook. |
@minrk, you maintain a bower package for google-caja, what are your thoughts on this? |
I did the bower one so we could use it in the notebook. We can do the same for npm in jupyterlab. Would you like me to sketch out how to make that package? Or maybe use someone else's if they have already made it like @AbdealiJK suggests? |
We could start with https://www.npmjs.com/package/google-caja and fork your package as an npm package if we run into trouble. |
If someone's already packaged it, it makes sense to start from there. It doesn't bode super well that the package hasn't received an update in four years and the owner has deleted their GitHub account, though. |
I've found a lot of packages for google-Caja on Npm , but most of them haven't been updated for more than a year and that looks like a big negative to me. |
I imagine the only thing needed to turn my caja bower package into npm would be a package.json and possibly index.js, so that should be pretty quick. @blink1073 feel free to make a PR on that repo (and/or migrate it to JupyterLab, if you think that's a good idea). |
I'm inclined to try the mapbox one and not try and maintain our own fork unless it is missing something. |
Moving this to 1.0 as it is a feature parity issue and may take some time. |
Good news from sanitize-html:
|
This would entail using the https://github.com/punkave/sanitize-html#allowed-css-styles |
Note: this issue also applies to divs. The following renders a noice blue rectangle in the classic notebook, but the css is stripped in jupyterlab.
|
Looks like |
|
|
I'm currently working on this. See #5012 if you want to provide further input. |
Hello, do you know when this option will be available in a clonable version of jupyterlab. I tried the following markdown with Version 0.35.0a0: but I'm still not seeing coloured text. |
I tried installing from master the other day, using a docker container:
But then the latest released tag version seems to get installed (at least, that's what Also, I tried styling Markdown in a notebook, not in a Markdown file. But that shouldn't make a difference, should it? |
Correct - that's how you run master.
Correct - it shouldn't make a difference. |
In Jupyter Notebook I can make a markdown cell with
and it rendered nicely as:
In JupyterLab this does not work anymore and it shows instead:
The text was updated successfully, but these errors were encountered: