Tighten notebook code cell output sandbox and enable it by default (#664)

* Tighten notebook code cell output sandbox * Enable sandboxnotebookoutputs by default * Address feedback
2025-12-21 09:51:11 +00:00 · 2021-04-14 11:06:44 -07:00
parent 1685b34e2a
commit 68789c5069
8 changed files with 202 additions and 36 deletions
--- a/src/Explorer/Notebook/NotebookRenderer/outputs/SanitizedHTML.tsx
+++ b/src/Explorer/Notebook/NotebookRenderer/outputs/SanitizedHTML.tsx
@@ -0,0 +1,38 @@
+import { Media } from "@nteract/outputs";
+import React from "react";
+import sanitizeHtml from "sanitize-html";
+
+interface Props {
+  /**
+   * The HTML string that will be rendered.
+   */
+  data: string;
+  /**
+   * The media type associated with the HTML
+   * string. This defaults to text/html.
+   */
+  mediaType: "text/html";
+}
+
+export class SanitizedHTML extends React.PureComponent<Props> {
+  static defaultProps = {
+    data: "",
+    mediaType: "text/html",
+  };
+
+  render(): JSX.Element {
+    return <Media.HTML data={sanitize(this.props.data)} />;
+  }
+}
+
+function sanitize(html: string): string {
+  return sanitizeHtml(html, {
+    allowedTags: false, // allow all tags
+    allowedAttributes: false, // allow all attrs
+    transformTags: {
+      iframe: "iframe-disabled", // disable iframes
+    },
+  });
+}
+
+export default SanitizedHTML;