Thebe allows users to run arbitrary code both in Python and, potentially, in Javascript. This allows interactive figures, and custom outputs to be run in your documentation, which is the benefit that Thebe brings! ✨

However, this can also lead to Cross-Site Scripting ({abbr}XSS (Cross-Site Scripting)) attacks, with the most likely case being an Self-{abbr}XSS (Cross-Site Scripting) attack. This happens when someone executes code that they do not understand, or is malicious.

For example, the %%html and the %%javascript cell-magics in Jupyter can directly insert script tags into your page. They can potentially modify the DOM, make API calls on the users behalf, or run untrusted code.

We recommend that you run Thebe in a static environment (e.g. ReadTheDocs or similar) that has no access to user credentials such as cookies or API keys.