Is there a plan to sanitize the html markups when rendering the html?
Following are examples of scripts can be executed.

<img src="" onerror="alert()">
<a href="javascript:alert()">hey</a>

This also allows for user written code to access cookies:

<iframe src="javascript:console.log(document.cookie)">
</iframe>

Meaning if this library were to be deployed as a part of an application with login, users could use this to potentially steal the creds of other users viewing their notebooks.

This can be resolved by enabling escaping HTML in the underlying React Markdown renderer at markdown-renderer.tsx. PRs welcome!

@captainsafia totally down to do that, the only thing that made me pause is that someone must have set it to true for a reason. I was hesitant to update it myself since I didn't want to undo whatever they were doing, but if its safe to do so, I'll go ahead!

@maclockard Totally fair and thanks for being diligent about it!

Context: a lot of the packages in the nteract ecosystem sprung out from the inception of the nteract desktop app. That means that we still carry vestigial of decisions that were primarily desktop focused. The nteract desktop app is a React app delivered cross-platform via Electron.

We had escaping HTML disabled because (1) it was low-risk in the Electron sandbox we were running on and (2) it provided a richer experience for users of interactive notebooks who wanted to include HTML images/links/etc in their markdown.

Now, nteract has evolved into an ecosystem that is designed to accommodate desktop/web/mobile targets and those prior decisions are no longer as sensible.

So ideally, we enable escaping HTML by default and provide some UI that allows users to disable it if they trust the environment they are running in.

ah, totally makes sense!

would it be possible to get a new release with the fix in it?

Published in @nteract/markdown@4.6.0.