Javascript execution in pads

Hi, I want to know why if the JS code written between script tags, like style tags, doesn’t run in the HTML render of the pads. I am interested in using HedgeDoc similar than Jupyter Notebook. I made some tests and the JS didn’t run so I made another very very messy test to at least show what I am looking for:

  1. This is the sample:
  2. I have to use a codepen to run the JS code, the snippet is here: https:// codepen .io/NikaZhenya/pen/NWbZzjQ
  3. The only way to incorporate it in a publish pad view it is with an iframe:

What I am looking for is to skip 2 and 3 being the same pad of 1: I edit and write some JS, in the publish view I can execute the code (with a play btn or automatically when there is some kind of focus).

Any thoughts of feedback?

Script Tags are filtered in the rendering process because the risk for malware is too high.

We don’t and won’t allow arbitrary js.

Yeah, I thought it was because of that, but, doesn’t that should be a decision of the user that create the pad like a JS switch? Or if not, any recommendation of a pathway to achieve this?

Sorry but arbitrary JavaScript is a security concern and in our opinion not needed to fulfill HedgeDoc’s main purpose.

Hi @NikaZhenya,

The problems is actually not that you run your code in your note. But it becomes a problem as soon as the code you execute from another person’s note that has access to your credentials. For example it’s trivial to write a script that deletes your hedgedoc account as soon as you visit a note, when you allow JS in notes.

I don’t know about you, but I think it should be up to the user when they want to delete their own account. And that’s why you’ll need an isolation layer, such as an iframe, to isolate code execution in a note.

I hope that makes it a bit more clear.


Now I get it! Thanks for the reply