A notebook has possible security issues with several parts of standard content that are secured automatically by Jupyter:
- Untrusted HTML is sanitized
- Untrusted JavaScript is not executed
- HTML and JavaScript in markdown cells is not trusted
- Notebook output is not trusted
- Other HTML or JavaScript in the notebook is not trusted
Where trust comes down to the question: Did the user do this or did the Jupyter script? Untrusted means it will not be generated.
Sanitized code is wrapped to force the values to be text display only—no executed code will be generated. For example, if your notebook cell were to produce HTML, such as an additional H1 header tag, Jupyter would sanitize the output such that the raw HTML, in this case something like <H1>Additional Heading</H1> would produce the raw HTML with the H1 tags rather than the desired effect of an HTML heading appearing on your page.