Until last week, st.write and st.markdown used to allow HTML tags. However this is a security risk, as an app author could write unsafe code like this:

import streamlit as st

USER_INPUT = '''
<input type="button" value="click me" onclick="javascript:alert('You have been pwnd. Now I can steal your cookies')"/>
'''

name = st.text_input("What's your name?", USER_INPUT)
st.write(name)

...which is why we turned it off in #95 .

However, many users still depend on this feature, and we'd would like to (1) not break those users and (2) understand why they need HTML so we can come up with better solutions.

So let's do this for now:

• Keep the default behavior of st.write and st.markdown as: no HTML is allowed
• However, allow the user to pass unsafe_allow_html=True to turn on support for HTML

Also, in the pydoc for st.write and st.markdown we should say the following:

While you can use unsafe_allow_html=True to turn on support for a limited set of HTML tags inside markdown strings, we strongly advise against it. It is hard to write secure HTML, so by using this argument you may be compromising your users' security. See this Github issue for more information.

Also note that unsafe_allow_html is a temporary measure and may be removed from Streamlit any time.

If you decide to turn on HTML anyway, we ask you to please post in this [this Github issue](ASK THIAGO FOR LINK) telling us your exact use case. This will help us come up with safe APIs that allow you to do what you want.