Enable native HTML in documentation markdown.

[eitan-shalev]

Airflow 2 enables the use of HTML tags in markdown, used in DAG & task documentation.
Airflow 3, on React, expressly disables it, with the skipHtml setting (here).
I'm wondering what's the reason behind this decision, and if we could remove it, or allow users to control it.

My primary motivation in this regard is enabling hyperlinks to open in a new tab, but this is also something of a disruptive change moving from Airflow 2, where a lot of documentation can become degraded when migrating over to Airflow 3.

[potiuk]

The main reason was security. DAG authors (according to our security model - should not be able to influence code executed in the UI. It's extremely difficult (and practically impossibe) to sanitize HTML code provided by the DAG author to avoid some ways the HTML code (actually mostly javascript resulting from rendering the HTML code) might inject bad behaviours in the UI.

This behaviour has been introduced in Airflow 2.8 - you can read the changelog when we explained the resoning behind turning off raw html by default. You could of course enable it (but you were warned about security compromise you have to make).

https://airflow.apache.org/docs/apache-airflow/stable/release_notes.html#airflow-2-8-0-2023-12-18

In Airflow 3 because of new start we decided to simply disable it - security is an important feature of Airflow 3 - this is why we introduced task isolation and removed some of the things like direct db access for dag authors. The change where raw HTML is not allowed - and it follows the same patterns. Also having much more sophisticated DOM with react, any kind of dynamic reactivity you might have there in the first place would have to be anyhow adjusted.

You can explore more sophisticated use of markdown - where you can define links and other elements.

In Airflow 3.1+ you can also add react plugins to add more interactivity if you want it and there - you have all the options to add dynamic HTML and javascript you want, but this is controlled not by DAG authors, but by Deployment Managers, which is in-line with our Security Model.

So the functionality is not taken away completely. It's just adjusted to match our security model and youl should simply follow along.