change: sanitize markdown to prevent JS execution in documentation output
Is your change request related to a problem? Please describe.
I recently discovered in this mind-bending issue that most Markdown implementations don't sanitize their output, with Python-Markdown being no exception. This means that (contrary to popular belief), Markdown text cannot be trusted to be safe.
While developers should be careful to only accept merges after thoroughly reviewing code, there are lots of ways to subtlely embed JS into documents, which can be easily overlooked (eg using onerror in an <img> tag). I cannot think of any non-malicious to embed executing JS code within documentation markdown, when it is so much easier to bundle additional JS using mkdocs (which reviewers would be much more suspicious of, and therefore much more careful of).
Describe the solution you'd like
Sanitize the Markdown output within documentation to prevent executable JS code from being embedded in the output. Perhaps mozilla/bleach can be used.
Describe alternatives you've considered
Do nothing, but document that docstrings cannot be blindly trusted to be safe, as JS can be embedded within them.
Additional context
How does funding with Polar work?
Pay now to fund the work behind this issue.
Get updates on progress being made.
Maintainer is rewarded once the issue is completed.
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too