Jupyter sanitizaiton

1. <h2> Allowed Tags:<h2>
2. - <b>Allowed in sanitize-html</b>: h3, h4, h5, h6, blockquote, p, a, ul, ol, nl, li, b, i, strong, em, strike, code, hr, br, div, table, thead, caption, tbody, tr, th, td, pre
3. - <b>Allowed in JLab</b>: {all from sanitize-html} + svg, h1, h2, img, span
4. - <b>Allowed in google-caja</b> (marked as safe): a, abbr, acronym, address, area, article, aside, audio, b, bdi, bdo, big, blockquote, br, button, canvas, caption, center, cite, code, col, colgroup, command, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hgroup, hr, i, iframe, img, input, ins, kbd, label, legend, li, map, mark, menu, meter, nav, nobr, ol, optgroup, option, output, p, pre, progress, q, s, samp, section, select, small, source, span, strike, strong, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, track, tt, u, ul, var, video, wbr
5. - <b>Allowed in Jupyter Notebook</b>: {all from google-caja} (but it has an argument on whether to allow style tags)
6.  
7. <hr />
8. <h2>Allowed attributes:</h2>
9. <pre>
10. // Generated using:
11. for (var key in Jupyter.security.caja.html4.ATTRIBS) {
12.   atype = Jupyter.security.caja.html4.ATTRIBS[key];
13.   switch (atype) {
14.       case Jupyter.security.caja.html4.atype['NONE']: console.log(key, ": allowed"); break;
15.       case Jupyter.security.caja.html4.atype['SCRIPT']: console.log(key, ": no"); break;
16.       case Jupyter.security.caja.html4.atype['STYLE']: console.log(key, ": parse css and allow some"); break;
17.     case Jupyter.security.caja.html4.atype['ID']:
18.     case Jupyter.security.caja.html4.atype['IDREF']:
19.     case Jupyter.security.caja.html4.atype['IDREFS']:
20.     case Jupyter.security.caja.html4.atype['GLOBAL_NAME']:
21.     case Jupyter.security.caja.html4.atype['LOCAL_NAME']:
22.       case Jupyter.security.caja.html4.atype['CLASSES']: console.log(key, ": allowed"); break;
23.       case Jupyter.security.caja.html4.atype['URI']: console.log(key, ": Should be parseable and only schemes: http, https, geo, mailto, sms, tel"); break;
24.       case Jupyter.security.caja.html4.atype['URI_FRAGMENT']: console.log(key, ": Should start with hash"); break;
25.     default: console.log(key, ": no"); break;
26.   }; }
27. </pre>
28.  
29. *::class : allowed
30. *::dir : allowed
31. *::draggable : allowed
32. *::hidden : allowed
33. *::id : allowed
34. *::inert : allowed
35. *::itemprop : allowed
36. *::itemref : allowed
37. *::itemscope : allowed
38. *::lang : allowed
39. *::onblur : no
40. *::onchange : no
41. *::onclick : no
42. *::ondblclick : no
43. *::onerror : no
44. *::onfocus : no
45. *::onkeydown : no
46. *::onkeypress : no
47. *::onkeyup : no
48. *::onload : no
49. *::onmousedown : no
50. *::onmousemove : no
51. *::onmouseout : no
52. *::onmouseover : no
53. *::onmouseup : no
54. *::onreset : no
55. *::onscroll : no
56. *::onselect : no
57. *::onsubmit : no
58. *::ontouchcancel : no
59. *::ontouchend : no
60. *::ontouchenter : no
61. *::ontouchleave : no
62. *::ontouchmove : no
63. *::ontouchstart : no
64. *::onunload : no
65. *::spellcheck : allowed
66. *::style : parse css and allow some
67. *::title : allowed
68. *::translate : allowed
69. a::accesskey : allowed
70. a::coords : allowed
71. a::href : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
72. a::hreflang : allowed
73. a::name : allowed
74. a::onblur : no
75. a::onfocus : no
76. a::shape : allowed
77. a::tabindex : allowed
78. a::target : no
79. a::type : allowed
80. area::accesskey : allowed
81. area::alt : allowed
82. area::coords : allowed
83. area::href : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
84. area::nohref : allowed
85. area::onblur : no
86. area::onfocus : no
87. area::shape : allowed
88. area::tabindex : allowed
89. area::target : no
90. audio::controls : allowed
91. audio::loop : allowed
92. audio::mediagroup : allowed
93. audio::muted : allowed
94. audio::preload : allowed
95. audio::src : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
96. bdo::dir : allowed
97. blockquote::cite : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
98. br::clear : allowed
99. button::accesskey : allowed
100. button::disabled : allowed
101. button::name : allowed
102. button::onblur : no
103. button::onfocus : no
104. button::tabindex : allowed
105. button::type : allowed
106. button::value : allowed
107. canvas::height : allowed
108. canvas::width : allowed
109. caption::align : allowed
110. col::align : allowed
111. col::char : allowed
112. col::charoff : allowed
113. col::span : allowed
114. col::valign : allowed
115. col::width : allowed
116. colgroup::align : allowed
117. colgroup::char : allowed
118. colgroup::charoff : allowed
119. colgroup::span : allowed
120. colgroup::valign : allowed
121. colgroup::width : allowed
122. command::checked : allowed
123. command::command : allowed
124. command::disabled : allowed
125. command::icon : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
126. command::label : allowed
127. command::radiogroup : allowed
128. command::type : allowed
129. data::value : allowed
130. del::cite : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
131. del::datetime : allowed
132. details::open : allowed
133. dir::compact : allowed
134. div::align : allowed
135. dl::compact : allowed
136. fieldset::disabled : allowed
137. font::color : allowed
138. font::face : allowed
139. font::size : allowed
140. form::accept : allowed
141. form::action : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
142. form::autocomplete : allowed
143. form::enctype : allowed
144. form::method : allowed
145. form::name : allowed
146. form::novalidate : allowed
147. form::onreset : no
148. form::onsubmit : no
149. form::target : no
150. h1::align : allowed
151. h2::align : allowed
152. h3::align : allowed
153. h4::align : allowed
154. h5::align : allowed
155. h6::align : allowed
156. hr::align : allowed
157. hr::noshade : allowed
158. hr::size : allowed
159. hr::width : allowed
160. iframe::align : allowed
161. iframe::frameborder : allowed
162. iframe::height : allowed
163. iframe::marginheight : allowed
164. iframe::marginwidth : allowed
165. iframe::width : allowed
166. img::align : allowed
167. img::alt : allowed
168. img::border : allowed
169. img::height : allowed
170. img::hspace : allowed
171. img::ismap : allowed
172. img::name : allowed
173. img::src : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
174. img::usemap : Should start with hash
175. img::vspace : allowed
176. img::width : allowed
177. input::accept : allowed
178. input::accesskey : allowed
179. input::align : allowed
180. input::alt : allowed
181. input::autocomplete : allowed
182. input::checked : allowed
183. input::disabled : allowed
184. input::inputmode : allowed
185. input::ismap : allowed
186. input::list : allowed
187. input::max : allowed
188. input::maxlength : allowed
189. input::min : allowed
190. input::multiple : allowed
191. input::name : allowed
192. input::onblur : no
193. input::onchange : no
194. input::onfocus : no
195. input::onselect : no
196. input::placeholder : allowed
197. input::readonly : allowed
198. input::required : allowed
199. input::size : allowed
200. input::src : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
201. input::step : allowed
202. input::tabindex : allowed
203. input::type : allowed
204. input::usemap : Should start with hash
205. input::value : allowed
206. ins::cite : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
207. ins::datetime : allowed
208. label::accesskey : allowed
209. label::for : allowed
210. label::onblur : no
211. label::onfocus : no
212. legend::accesskey : allowed
213. legend::align : allowed
214. li::type : allowed
215. li::value : allowed
216. map::name : allowed
217. menu::compact : allowed
218. menu::label : allowed
219. menu::type : allowed
220. meter::high : allowed
221. meter::low : allowed
222. meter::max : allowed
223. meter::min : allowed
224. meter::value : allowed
225. ol::compact : allowed
226. ol::reversed : allowed
227. ol::start : allowed
228. ol::type : allowed
229. optgroup::disabled : allowed
230. optgroup::label : allowed
231. option::disabled : allowed
232. option::label : allowed
233. option::selected : allowed
234. option::value : allowed
235. output::for : allowed
236. output::name : allowed
237. p::align : allowed
238. pre::width : allowed
239. progress::max : allowed
240. progress::min : allowed
241. progress::value : allowed
242. q::cite : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
243. select::autocomplete : allowed
244. select::disabled : allowed
245. select::multiple : allowed
246. select::name : allowed
247. select::onblur : no
248. select::onchange : no
249. select::onfocus : no
250. select::required : allowed
251. select::size : allowed
252. select::tabindex : allowed
253. source::type : allowed
254. table::align : allowed
255. table::bgcolor : allowed
256. table::border : allowed
257. table::cellpadding : allowed
258. table::cellspacing : allowed
259. table::frame : allowed
260. table::rules : allowed
261. table::summary : allowed
262. table::width : allowed
263. tbody::align : allowed
264. tbody::char : allowed
265. tbody::charoff : allowed
266. tbody::valign : allowed
267. td::abbr : allowed
268. td::align : allowed
269. td::axis : allowed
270. td::bgcolor : allowed
271. td::char : allowed
272. td::charoff : allowed
273. td::colspan : allowed
274. td::headers : allowed
275. td::height : allowed
276. td::nowrap : allowed
277. td::rowspan : allowed
278. td::scope : allowed
279. td::valign : allowed
280. td::width : allowed
281. textarea::accesskey : allowed
282. textarea::autocomplete : allowed
283. textarea::cols : allowed
284. textarea::disabled : allowed
285. textarea::inputmode : allowed
286. textarea::name : allowed
287. textarea::onblur : no
288. textarea::onchange : no
289. textarea::onfocus : no
290. textarea::onselect : no
291. textarea::placeholder : allowed
292. textarea::readonly : allowed
293. textarea::required : allowed
294. textarea::rows : allowed
295. textarea::tabindex : allowed
296. textarea::wrap : allowed
297. tfoot::align : allowed
298. tfoot::char : allowed
299. tfoot::charoff : allowed
300. tfoot::valign : allowed
301. th::abbr : allowed
302. th::align : allowed
303. th::axis : allowed
304. th::bgcolor : allowed
305. th::char : allowed
306. th::charoff : allowed
307. th::colspan : allowed
308. th::headers : allowed
309. th::height : allowed
310. th::nowrap : allowed
311. th::rowspan : allowed
312. th::scope : allowed
313. th::valign : allowed
314. th::width : allowed
315. thead::align : allowed
316. thead::char : allowed
317. thead::charoff : allowed
318. thead::valign : allowed
319. tr::align : allowed
320. tr::bgcolor : allowed
321. tr::char : allowed
322. tr::charoff : allowed
323. tr::valign : allowed
324. track::default : allowed
325. track::kind : allowed
326. track::label : allowed
327. track::srclang : allowed
328. ul::compact : allowed
329. ul::type : allowed
330. video::controls : allowed
331. video::height : allowed
332. video::loop : allowed
333. video::mediagroup : allowed
334. video::muted : allowed
335. video::poster : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
336. video::preload : allowed
337. video::src : Should be parseable and only schemes: http, https, geo, mailto, sms, tel
338. video::width : allowed
339. style : no