Nbpreview removes onclick attribute

[ingodahn]

Test.zip The markdown cell in the attached notebook has an onclick attribute which is removed by nbpreview when run in the hosted nbpreview version. Note: This was not the case in the previous version of nbpreview.

[jsvine]

Hi @ingodahn, and yes, notebook.js and nbpreview now sanitize all HTML and markdown inputs/outputs by default, to guard against malicious notebooks. If you run your own instance of nbpreview, you can tweak js/nbpreview.js (or load an additional custom script) to modify the behavior, using the nb.sanitizer option described here: https://github.com/jsvine/notebookjs#html-and-markdown-sanitization

In the future, it might be nice to allow users of https://jsvine.github.io/nbpreview/ to be able to adjust these parameters themselves. I am open to suggestions along those lines.

[ingodahn]

I really need to remove sanitation and yes I am running my own copy of nbpreview. Which changes do I have to make exactly to switch it off? As for nbpreview I'd suggest a checkbox for activating sanitation which is checked by default.

[jsvine]

I really need to remove sanitation and yes I am running my own copy of nbpreview. Which changes do I have to make exactly to switch it off?

Per link above: nb.sanitizer = function (x) { return x; };. The most logical place to put it is either (a) in its own script (after js/vendor/notebook.min.js is loaded) ... or (b) in js/nbpreview.js before this line here:

https://github.com/jsvine/nbpreview/blob/113ec98e87ef53e91b19b5b95f0c36714074743d/js/nbpreview.js#L7

As for nbpreview I'd suggest a checkbox for activating sanitation which is checked by default.

Yes, a checkbox is probably the simplest useful approach.