Call marked with sanitize: false

[prydie]

The author can be presumed trustworthy in the context of their own text editor so sanitisation is redundant and detracts from usability

[izuzak]

With sanitize set to false, Atom throws the following error if a <script> tag is in the input document:

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
 /Applications/Atom.app/Contents/Resources/app/node_modules/space-pen/vendor/jquery.js:545

cc @nathansobo

[prydie]

I guess the most attractive option here is to patch marked to accept a list of blacklisted tags in the following format:

disallowed_tags = {
    'script',
    'embed',
    …
}

However, presumably Atom would still throw an error if the author inserted javascript in event handler attributes (i.e. <button onclick="myFunction()">Click me</button>).

[nathansobo]

We currently don't allow <script> tags or inline scripts for event handling. This is to prevent accidentally loading malicious content into the editor. This is a tricky balance. It's reasonable to assume code loaded via a package might do something malicious, but it seems dangerous to assume that any content loaded by the editor could have free reign with the local system.

[prydie]

@nathansobo I'd be more worried about code in packages than I would be about code in the editor. Control within the editor should be down to the user in my opinion. If they're pasting in untrusted code then surely their editor is the least of their worries.

[kevinsawicki]

@prydie sorry for the delay, would you mind rebasing this on top of master? This code now lives in renderer.coffee there. If not, I'll start a new PR with this.

[kevinsawicki]

I ended up opening up #73 which sets sanitize to false but also strips out script tags and certain img attributes so the CSP warnings that @izuzak mentioned will not spam the console when it renders.