Skip to content

[feat] Add Python API for st.html unsafe_allow_javascript #12917

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sfc-gh-bnisco merged 1 commit into from
Nov 6, 2025
Merged

[feat] Add Python API for st.html unsafe_allow_javascript #12917

sfc-gh-bnisco merged 1 commit into from
Nov 6, 2025

Conversation

@sfc-gh-bnisco
Copy link
Collaborator

@sfc-gh-bnisco sfc-gh-bnisco commented Nov 3, 2025
edited
Loading

Describe your changes

Added a new unsafe_allow_javascript parameter to st.html() that allows JavaScript execution when set to True. By default, this parameter is False, maintaining the current behavior where JavaScript is ignored.

Updated the docstring to clarify that JavaScript execution is now possible but disabled by default, with appropriate warnings about using this feature with caution.

GitHub Issue Link (if applicable)

Testing Plan

  • Added unit tests to verify:
    • Default behavior (JavaScript disabled)
    • Behavior when unsafe_allow_javascript=True
    • Proper flag propagation for style-only HTML content

Contribution License Agreement

By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.

@snyk-io
Copy link
Contributor

snyk-io bot commented Nov 3, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@sfc-gh-bnisco Graphite App
Copy link
Collaborator Author

sfc-gh-bnisco commented Nov 3, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@sfc-gh-bnisco sfc-gh-bnisco mentioned this pull request Nov 3, 2025
Merged
@github-actions
Copy link
Contributor

github-actions bot commented Nov 3, 2025
edited
Loading

✅ PR preview is ready!

Name Link
📦 Wheel file https://core-previews.s3-us-west-2.amazonaws.com/pr-12917/streamlit-1.51.0-py3-none-any.whl
📦 @streamlit/component-v2-lib Download from artifacts
🕹️ Preview app pr-12917.streamlit.app (☁️ Deploy here if not accessible)

This was referenced Nov 3, 2025
Merged
Merged
@sfc-gh-bnisco sfc-gh-bnisco added change:feature PR contains new feature or enhancement implementation impact:internal PR changes only affect internal code security-assessment-completed Security assessment has been completed for PR labels Nov 3, 2025 — with Graphite App
@sfc-gh-bnisco sfc-gh-bnisco changed the title [feat] Add Python API for unsafe_allow_javascript [feat] Add Python API for st.html unsafe_allow_javascript Nov 3, 2025
@sfc-gh-bnisco sfc-gh-bnisco requested a review from Copilot November 3, 2025 21:47
Copilot AI reviewed Nov 3, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request adds a new parameter unsafe_allow_javascript to the st.html API, allowing users to opt-in to executing JavaScript in HTML content. By default, JavaScript execution is disabled (False) for security reasons.

Key Changes:

  • Added unsafe_allow_javascript boolean parameter to the html() method with default value False
  • Updated documentation to reflect that JavaScript is now ignored by default and can be enabled via the new parameter
  • The parameter is set on the protobuf message and passed through both standard and event container rendering paths

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
lib/streamlit/elements/html.py Added the unsafe_allow_javascript parameter to the html() method, updated docstring to document the new behavior, and set the parameter on the protobuf message
lib/tests/streamlit/elements/html_test.py Added three unit tests covering default behavior (False), explicit True, and style-only HTML with the flag
Comments suppressed due to low confidence (1)

lib/streamlit/elements/html.py:93

  • The docstring is missing documentation for the new unsafe_allow_javascript parameter. According to Numpydoc style conventions, all parameters should be documented in the Parameters section.
        width : "stretch", "content", or int
            The width of the HTML element. This can be one of the following:

            - ``"stretch"`` (default): The width of the element matches the
              width of the parent container.
            - ``"content"``: The width of the element matches the width of its
              content, but doesn't exceed the width of the parent container.
            - An integer specifying the width in pixels: The element has a
              fixed width. If the specified width is greater than the width of
              the parent container, the width of the element matches the width
              of the parent container.

@sfc-gh-bnisco sfc-gh-bnisco marked this pull request as ready for review November 4, 2025 21:06
sfc-gh-lwilby
sfc-gh-lwilby reviewed Nov 5, 2025
View reviewed changes
sfc-gh-lwilby
sfc-gh-lwilby reviewed Nov 6, 2025
View reviewed changes
@sfc-gh-bnisco Graphite App
Copy link
Collaborator Author

sfc-gh-bnisco commented Nov 6, 2025
edited
Loading

Merge activity

  • Nov 6, 5:33 PM UTC: A user started a stack merge that includes this pull request via Graphite.
  • Nov 6, 5:35 PM UTC: Graphite rebased this pull request as part of a merge.
  • Nov 6, 6:14 PM UTC: @sfc-gh-bnisco merged this pull request with Graphite.

@sfc-gh-bnisco sfc-gh-bnisco changed the base branch from html-js-proto to graphite-base/12917 November 6, 2025 17:33
@sfc-gh-bnisco sfc-gh-bnisco changed the base branch from graphite-base/12917 to develop November 6, 2025 17:33
@sfc-gh-bnisco sfc-gh-bnisco requested a review from a team as a code owner November 6, 2025 17:33
@sfc-gh-bnisco sfc-gh-bnisco merged commit 98c2e68 into develop Nov 6, 2025
37 checks passed
@sfc-gh-bnisco sfc-gh-bnisco deleted the html-js-backend branch November 6, 2025 18:14
@sfc-gh-dmatthews sfc-gh-dmatthews removed the impact:internal PR changes only affect internal code label Dec 2, 2025
@sfc-gh-dmatthews sfc-gh-dmatthews added impact:users PR changes affect end users impact:internal PR changes only affect internal code and removed impact:users PR changes affect end users labels Dec 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sfc-gh-lwilby sfc-gh-lwilby sfc-gh-lwilby approved these changes

Assignees

No one assigned

Labels

change:feature PR contains new feature or enhancement implementation impact:internal PR changes only affect internal code security-assessment-completed Security assessment has been completed for PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sfc-gh-bnisco @sfc-gh-lwilby @sfc-gh-dmatthews