display() tries to read files and load URLs

[Tronic]

Quite surprisingly, instead of a HTML string snippet, IPython actually loads a local file or a remote site if anything suitable is found.

from IPython.core.display import display, HTML

# This does what I would expect
display(HTML("<h1>Hello</h1>"))

# These are quite scary
display(HTML("/etc/passwd"))
display(HTML("https://google.com/"))

I found out about this feature when I tried to print text foo and the system hung because I happened to have a special file by that name in the current folder. The relevant code is in IPython/core/display.py:608.

It would be far more secure if there were separate types or kwargs for displaying files and URLs.

[Carreau]

This has been unfortunately baked in fo several years, and as you point out from the source they are differents args/kwarrgs, you can do display(HTML(url="https://google.com/")) and it will force it to be intepreted a URL.

Do you have a more concrete proposal ?

[Tronic]

I suppose it isn't possible to specify data by kwarg so that it won't be interpreted as something else? In any case, it might be better to deprecate and eventually move on rather than keep it forever.