treat any html output with script tag as an iframe; fixes #4992 and probably many other things -- matplotlib.animation.ArtistAnimation.to_jshtml() output does not appear

- and probably breaks something too.

Author: williamstein

src/packages/jupyter/blobs/iframe.ts

@@ -19,7 +19,7 @@ const MAX_HTML_SIZE = 10 ** 6;
 // We use iframes to render html in a number of cases:
 //  - if it starts with iframe
 //  - if it has a whole page doctype
-//  - if it has a <script> tag anywhere without a type -- since those are ignored by safe HTML
+//  - if it has a <script> tag anywhere -- since those are ignored by safe HTML
 //    rendering; using an iframe is the only way.  This e.g., makes mpld3 work uses -- <script>!  https://github.com/sagemathinc/cocalc/issues/1934
 //    and altair -- https://github.com/sagemathinc/cocalc/issues/4468 -- uses <script type="text/javascript"/>
 //  - do NOT just render all html in an iframe, e.g., this would break bokeh, since one output creates the target elt,
@@ -46,8 +46,11 @@ export function is_likely_iframe(content: string): boolean {
     content.startsWith("<iframe") ||
     content.includes("<!doctype html>") ||
     (content.includes("<html>") && content.includes("<head>")) ||
-    content.includes("<script>") ||
-    content.includes('<script type="text/javascript">')
+    // this gets really serious -- we sanitize out script tags in non-iframe html,
+    // and a LOT of interesting jupyter outputs are self contained html + script tags... so
+    // by rendering them all in iframes (1) they suddenly all work, which is great, and
+    // (2) if they are large (which is common) they work even better, by far!
+    content.includes("<script")
   );
 }