[zainhoda]

That’s correct. Perhaps I should add some documentation around this. Untrusted user input needs to be sanitized before using it in the page.

[pbronez]

Seems like that should just be a warning in the docs, since mostly we’re talking about trusted code written by the dev…. Although maybe that’s untrusted from your perspective as a PaaS?

What’s the escape hatch to write custom HTML in the Python source?

[ashishsingal]

there's "HTML (.add_html)" in the docs - "Renders raw HTML. This is meant to be an escape hatch for when you need to render something that isn't supported by PyVibe." I'm guessing this isn't sanitized and we trust the dev. After all, they can do "eval" in Python which is much riskier than raw HTML :)

[akx]

All of the components support rendering arbitrary HTML, which is exactly the problem.

[akx]

No escape hatch is required since nothing is escaped...