I created a wrapper class to display HTML in JupyterLab; and then looked at the source and realized there's no cgi.escape / html.escape / bleach.clean / bleach.linkify; which (I assume) is an XSS vulnerability

class TabulateHTML:
    def __init__(self, *args, **kwargs):
        kwargs['tablefmt'] = 'html'
        self.html = tabulate(*args, **kwargs)
    def _repr_html_(self):
        return self.html
TabulateHTML(output)

There's likely a better way to wrap TableFormat to return either an object with a .repr_html() method or an IPython.display.HTML when tablefmt='jupyterhtml' | 'jupyter' | 'ipython'?

https://ipython.readthedocs.io/en/stable/config/integrating.html#rich-display

https://ipython.readthedocs.io/en/stable/api/generated/IPython.display.html#IPython.display.HTML

(edit)
Pull Requests:

• BUG,SEC: html.escape cells to prevent XSS (#25) #26 BUG,SEC: html.escape to prevent XSS
• ENH: return a wrapped str w/ a _repr_html_ so that Jupyter displays the html #27 ENH: return a wrapped str w/ a repr_html so that Jupyter displays the html