Cross Site Scripting#
However, this can also lead to Cross-Site Scripting (XSS) attacks, with the most likely case being an Self-XSS attack. This happens when someone executes code that they do not understand, or is malicious.
For example, the
%%html and the
script tags into your page. They can potentially modify the DOM, make API calls on the users behalf,
or run untrusted code.
We recommend that you run Thebe in a static environment (e.g. ReadTheDocs or similar) that has no access to user credentials such as cookies or API keys.