[feat] Add frontend for executing JS in st.html by sfc-gh-bnisco · Pull Request #12918 · streamlit/streamlit

sfc-gh-bnisco · 2025-11-03T21:34:31Z

Describe your changes

Refactored the HTML component to properly handle JavaScript execution when unsafeAllowJavascript is enabled. The implementation now:

Splits HTML rendering into two components: SanitizedHtml and HtmlWithJs
Properly executes scripts by cloning and replacing them in the DOM
Preserves script attributes (src, type, async, defer, nonce, etc.)
Centralizes DOMPurify hooks in a shared module
Improves cleanup when HTML content changes

Testing Plan

Unit Tests: Completely rewrote the test suite to thoroughly test both safe and unsafe modes
- Added tests for script execution, attribute preservation, and cleanup behavior
- Added tests for error handling during attribute copying
- Added tests to verify proper sanitization in safe mode
- Added tests to verify script execution in unsafe mode

Contribution License Agreement

By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.

snyk-io · 2025-11-03T21:34:40Z

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Licenses	0	0	0	0	0 issues
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

sfc-gh-bnisco · 2025-11-03T21:34:45Z

This stack of pull requests is managed by Graphite. Learn more about stacking.

github-actions · 2025-11-03T21:34:46Z

✅ PR preview is ready!

Name	Link
📦 Wheel file	https://core-previews.s3-us-west-2.amazonaws.com/pr-12918/streamlit-1.51.0-py3-none-any.whl
📦 `@streamlit/component-v2-lib`	Download from artifacts
🕹️ Preview app	pr-12918.streamlit.app (☁️ Deploy here if not accessible)

Copilot

Pull Request Overview

This PR refactors the HTML component to support unsafe JavaScript execution through a new unsafeAllowJavascript flag. The implementation splits HTML rendering into two paths: sanitized HTML (existing behavior) and HTML with JavaScript execution enabled (new behavior).

Key changes:

Extracted DOMPurify hooks into a shared dompurifyHooks.ts module for reuse
Split the main Html component into three specialized components: SanitizedHtml, HtmlWithJs, and HtmlContainer
Added comprehensive test coverage for both sanitization and JavaScript execution paths

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
frontend/lib/src/test_util.tsx	Changed mock function from `vi.fn()` to empty arrow function for `setFullScreen`
frontend/lib/src/components/elements/Html/dompurifyHooks.ts	Extracted DOMPurify hooks for target="_blank" link handling into a centralized module
frontend/lib/src/components/elements/Html/SanitizedHtml.tsx	Created new component for sanitized HTML rendering without JavaScript
frontend/lib/src/components/elements/Html/HtmlWithJs.tsx	Created new component that sanitizes but preserves and executes script tags
frontend/lib/src/components/elements/Html/HtmlContainer.tsx	Created shared container component wrapping StyledHtml with common props
frontend/lib/src/components/elements/Html/Html.tsx	Refactored to route to either SanitizedHtml or HtmlWithJs based on unsafeAllowJavascript flag
frontend/lib/src/components/elements/Html/Html.test.tsx	Comprehensive test suite covering both sanitization and JavaScript execution paths

sfc-gh-bnisco · 2025-11-06T17:33:26Z

Merge activity

Nov 6, 5:33 PM UTC: A user started a stack merge that includes this pull request via Graphite.
Nov 6, 6:16 PM UTC: Graphite rebased this pull request as part of a merge.
Nov 6, 6:41 PM UTC: @sfc-gh-bnisco merged this pull request with Graphite.

sfc-gh-bnisco mentioned this pull request Nov 3, 2025

[feat] Add proto for st.html JS support #12916

Merged

sfc-gh-bnisco mentioned this pull request Nov 3, 2025

[feat] Add Python API for st.html unsafe_allow_javascript #12917

Merged

sfc-gh-bnisco mentioned this pull request Nov 3, 2025

[test] Add e2e tests for JS in st.html #12919

Merged

sfc-gh-bnisco added change:feature PR contains new feature or enhancement implementation impact:internal PR changes only affect internal code security-assessment-completed labels Nov 3, 2025 — with Graphite App

sfc-gh-bnisco removed the impact:internal PR changes only affect internal code label Nov 3, 2025

sfc-gh-bnisco added the impact:users PR changes affect end users label Nov 3, 2025 — with Graphite App

sfc-gh-bnisco requested a review from Copilot November 3, 2025 21:47

Copilot AI reviewed Nov 3, 2025

View reviewed changes

sfc-gh-bnisco force-pushed the html-js-frontend branch from e54803e to 461b031 Compare November 3, 2025 22:08

sfc-gh-bnisco force-pushed the html-js-backend branch from 9ad33c4 to 0ade7e7 Compare November 3, 2025 22:08

graphite-app bot reviewed Nov 3, 2025

View reviewed changes

Comment thread frontend/lib/src/components/elements/Html/dompurifyHooks.ts Outdated

sfc-gh-bnisco force-pushed the html-js-frontend branch from 461b031 to 0aefd4e Compare November 4, 2025 00:15

sfc-gh-bnisco marked this pull request as ready for review November 4, 2025 21:06