OurBigBook HTML output is designed to be XSS safe by default, any non-XSS safe constructs must be enabled with a non-default flag or setting, see: unsafe-xss.
Of course, we are walking on eggs, and this is hard to assert, so the best thing to do later on will be to parse the output e.g. with DOMParser to ensure that it is valid and does not contain any script tags, but it is not as simple as that: stackoverflow.com/questions/37435077/execute-javascript-for-xss-without-script-tags/61588322#61588322
XSS unsafe constructs lead to errors by default. XSS unsafe constructs can be allowed from the command line with:
./ourbigbook --unsafe-xss
or from the ourbigbook.json file with an entry of form:
"unsafe-xss": true

Ancestors