notebook 6.4.3 sanitizes html differently than before (and differently from lab)

[rabernat]

Describe the bug

In notebok 6.3.0 and earlier (and in lab 3.1.9), I am able to create custom-styled html elements inside markdown cells like this

<h1 style="color: red;">Hello!</h1>

...and they work fine.

In notebook 6.4.3, this gets sanitized to

<h1 style="undefined:undefined" id="Hello!">Hello!<a class="anchor-link" href="#Hello!">¶</a></h1>

Perhaps this is a necessary security improvement but

• It feels like a regression, since my custom styling is now broken
• It still works in lab, which seems inconsistent

To Reproduce
Steps to reproduce the behavior:

1. Create a new notebook
2. Create a markdown cell with the contents <h1 style="color: red;">Hello!</h1>
3. "Inspect element" to see the santized style

Desktop (please complete the following information):

• OS: iOS
• Browser: chrome
• Version: 6.4.3

cc @yuvipanda, who helped me diagnose this in the 2i2c slack.

Possibly related to #6109.

[fperez]

I wanted to add that this will probably cause pretty serious breakage in a lot of scenarios - the original example that @rabernat pointed out was styling images along the lines of

<img style="display: inline; width: 120px;  vertical-align: middle;" 
src="https://m2lines.github.io/images/newlogo.png" />

which became

<img style="undefined:undefined;undefined:undefined;undefined:undefined" 
src="https://m2lines.github.io/images/newlogo.png">

Given that markdown image handling is so limited by default, many people use bare HTML to better image display in their notebooks. So I suspect this will impact negatively quite a few legitimate uses.

[Zsailer]

This is being addressed in #6160.

[Zsailer]

Just released v6.4.4.

Let us know if this doesn't address the issue. Otherwise, feel free to close here.

Thanks, all!

[rabernat]

Thanks a lot for making the release @Zsailer. Any idea why it is not yet on pypi or conda forge?

[ghazpar]

It is now 11 days after the release of 6.4.4, but the package is still not available on pypi. Is there an ETA?

Because the HTML sanitization of 6.4 is breaking my app...

[blink1073]

I just pushed https://pypi.org/project/notebook/6.4.4, conda-forge will be up sometime today

[Zsailer]

Thank you for your patience, y'all. I had attempted an automated release, but it looks like there was a malfunction in the authentication when it tried to push to PyPI. I missed it, because the Github Action went green. My apologies for the delayed response here.

[Zsailer]

Closing this issue, since it should be solved by 6.4.4. Feel free to re-open if the issue resurfaces.