@tunz found that javascript: URLs could be used in links in MathJax formulas in IPython Notebooks. If clicked, this could allow an attacker to execute JavaScript on the render.githubusercontent.com domain. While exploitation of this vulnerability was limited to a sandboxed domain, we still took the threat seriously. We addressed this issue by running MathJax in “safe mode”.