Bokeh Security Considerations

A Bokeh user recently noted that Bokeh doesn't escape the Javascript in strings that it displays through text fields. For things such as CustomJS classes, Custom Hover Tooltips, and the Div widget, this is expressly by design. However, it does present a potential problem if users take untrusted user inputs and directly output those via Bokeh.

While this isn't a Bokeh-specific issue or vulnerability, since web applications should always sanitize text input at the input stage, we will be making some changes to make this potential problem much less likely for people:

- Escape HTML/JS in all fields except CustomJS, custom HoverTool template, and Div widget, etc. as well as augment the documentation around these classes to stress that they transmit unescaped HTML/JS by design, and should never be used with unsanitized third party input.

- in ALL cases, fully escape the "</script>" string, since this is never appropriate in bokeh-generated output.

There is an issue you can track or discuss on here: