[gvx]

I think what they mean is that methods like add_header and add_text actually take raw HTML as an argument, which means that if you want to add arbitrary text, you actually need to do

    import html

    ...

    card.add_text(html.escape(my_text))

[zainhoda]

That’s correct. Perhaps I should add some documentation around this. Untrusted user input needs to be sanitized before using it in the page.

[pbronez]

Seems like that should just be a warning in the docs, since mostly we’re talking about trusted code written by the dev…. Although maybe that’s untrusted from your perspective as a PaaS?

What’s the escape hatch to write custom HTML in the Python source?

[ashishsingal]

there's "HTML (.add_html)" in the docs - "Renders raw HTML. This is meant to be an escape hatch for when you need to render something that isn't supported by PyVibe." I'm guessing this isn't sanitized and we trust the dev. After all, they can do "eval" in Python which is much riskier than raw HTML :)

[akx]

All of the components support rendering arbitrary HTML, which is exactly the problem.

[akx]

No escape hatch is required since nothing is escaped...