ui.table with markdown doesn't render text html.escape()

[pascal-pfeiffer]

Wave SDK Version, OS

Wave 1.5.1

Actual behavior

Given I have some html text that I want to display in ui.table, together with other markdown text in the the same column. I want to prevent code injection attacks, so I am using html.escape() on all text first.

When rendering in Wave, some escaped html characters are not visualized correctly:

escaped csv

Name: Content, dtype: object
0                                         <ul>\r
1                                         <ul>\r
2        <li><label for="usermail&quo...
3        <li><label for="usermail&quo...
Name: Content, dtype: object

so, somehow <ul> gets visualized correctly while <li><label for="usermail">Email</label> is rendered with escaped strings <.

Expected behavior

Render escaped markdown in ui.table()

Potential improvement

Add a flag to force safe rendering in ui.table() to reduce the risk of code injection.

[pascal-pfeiffer]

This gets even more complex when combined with code fields. In this case, I would not want to escape anything inside the code blocks, but escape anything outside of them to prevent code injection.