Skip to content

[feat] Add frontend for executing JS in st.html #12918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sfc-gh-bnisco merged 2 commits into from
Nov 6, 2025
Merged

[feat] Add frontend for executing JS in st.html #12918

sfc-gh-bnisco merged 2 commits into from
Nov 6, 2025

Conversation

@sfc-gh-bnisco
Copy link
Collaborator

@sfc-gh-bnisco sfc-gh-bnisco commented Nov 3, 2025
edited
Loading

Describe your changes

Refactored the HTML component to properly handle JavaScript execution when unsafeAllowJavascript is enabled. The implementation now:

  • Splits HTML rendering into two components: SanitizedHtml and HtmlWithJs
  • Properly executes scripts by cloning and replacing them in the DOM
  • Preserves script attributes (src, type, async, defer, nonce, etc.)
  • Centralizes DOMPurify hooks in a shared module
  • Improves cleanup when HTML content changes

Testing Plan

  • Unit Tests: Completely rewrote the test suite to thoroughly test both safe and unsafe modes
    • Added tests for script execution, attribute preservation, and cleanup behavior
    • Added tests for error handling during attribute copying
    • Added tests to verify proper sanitization in safe mode
    • Added tests to verify script execution in unsafe mode

Contribution License Agreement

By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.

@snyk-io
Copy link
Contributor

snyk-io bot commented Nov 3, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Licenses 0 0 0 0 0 issues
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@sfc-gh-bnisco sfc-gh-bnisco mentioned this pull request Nov 3, 2025
Merged
@sfc-gh-bnisco Graphite App
Copy link
Collaborator Author

sfc-gh-bnisco commented Nov 3, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@sfc-gh-bnisco sfc-gh-bnisco mentioned this pull request Nov 3, 2025
Merged
@github-actions
Copy link
Contributor

github-actions bot commented Nov 3, 2025
edited
Loading

✅ PR preview is ready!

Name Link
📦 Wheel file https://core-previews.s3-us-west-2.amazonaws.com/pr-12918/streamlit-1.51.0-py3-none-any.whl
📦 @streamlit/component-v2-lib Download from artifacts
🕹️ Preview app pr-12918.streamlit.app (☁️ Deploy here if not accessible)

@sfc-gh-bnisco sfc-gh-bnisco mentioned this pull request Nov 3, 2025
Merged
@sfc-gh-bnisco sfc-gh-bnisco added change:feature PR contains new feature or enhancement implementation impact:internal PR changes only affect internal code security-assessment-completed Security assessment has been completed for PR labels Nov 3, 2025 — with Graphite App
@sfc-gh-bnisco sfc-gh-bnisco removed the impact:internal PR changes only affect internal code label Nov 3, 2025
@sfc-gh-bnisco sfc-gh-bnisco added the impact:users PR changes affect end users label Nov 3, 2025 — with Graphite App
@sfc-gh-bnisco sfc-gh-bnisco requested a review from Copilot November 3, 2025 21:47
Copilot AI reviewed Nov 3, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR refactors the HTML component to support unsafe JavaScript execution through a new unsafeAllowJavascript flag. The implementation splits HTML rendering into two paths: sanitized HTML (existing behavior) and HTML with JavaScript execution enabled (new behavior).

Key changes:

  • Extracted DOMPurify hooks into a shared dompurifyHooks.ts module for reuse
  • Split the main Html component into three specialized components: SanitizedHtml, HtmlWithJs, and HtmlContainer
  • Added comprehensive test coverage for both sanitization and JavaScript execution paths

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
frontend/lib/src/test_util.tsx Changed mock function from vi.fn() to empty arrow function for setFullScreen
frontend/lib/src/components/elements/Html/dompurifyHooks.ts Extracted DOMPurify hooks for target="_blank" link handling into a centralized module
frontend/lib/src/components/elements/Html/SanitizedHtml.tsx Created new component for sanitized HTML rendering without JavaScript
frontend/lib/src/components/elements/Html/HtmlWithJs.tsx Created new component that sanitizes but preserves and executes script tags
frontend/lib/src/components/elements/Html/HtmlContainer.tsx Created shared container component wrapping StyledHtml with common props
frontend/lib/src/components/elements/Html/Html.tsx Refactored to route to either SanitizedHtml or HtmlWithJs based on unsafeAllowJavascript flag
frontend/lib/src/components/elements/Html/Html.test.tsx Comprehensive test suite covering both sanitization and JavaScript execution paths

graphite-app[bot]
graphite-app bot reviewed Nov 3, 2025
View reviewed changes
@sfc-gh-bnisco sfc-gh-bnisco marked this pull request as ready for review November 4, 2025 21:06
sfc-gh-lwilby
sfc-gh-lwilby reviewed Nov 5, 2025
View reviewed changes
sfc-gh-lwilby
sfc-gh-lwilby reviewed Nov 5, 2025
View reviewed changes
sfc-gh-lwilby
sfc-gh-lwilby reviewed Nov 5, 2025
View reviewed changes
sfc-gh-lwilby
sfc-gh-lwilby reviewed Nov 5, 2025
View reviewed changes
sfc-gh-lwilby
sfc-gh-lwilby reviewed Nov 5, 2025
View reviewed changes
sfc-gh-lwilby
sfc-gh-lwilby reviewed Nov 5, 2025
View reviewed changes
sfc-gh-lwilby
sfc-gh-lwilby reviewed Nov 5, 2025
View reviewed changes
@sfc-gh-bnisco Graphite App
Copy link
Collaborator Author

sfc-gh-bnisco commented Nov 6, 2025
edited
Loading

Merge activity

  • Nov 6, 5:33 PM UTC: A user started a stack merge that includes this pull request via Graphite.
  • Nov 6, 6:16 PM UTC: Graphite rebased this pull request as part of a merge.
  • Nov 6, 6:41 PM UTC: @sfc-gh-bnisco merged this pull request with Graphite.

@sfc-gh-bnisco sfc-gh-bnisco changed the base branch from html-js-backend to graphite-base/12918 November 6, 2025 17:34
@sfc-gh-bnisco sfc-gh-bnisco changed the base branch from graphite-base/12918 to develop November 6, 2025 18:14
@sfc-gh-bnisco sfc-gh-bnisco requested a review from a team as a code owner November 6, 2025 18:14
@sfc-gh-bnisco sfc-gh-bnisco merged commit e93e63b into develop Nov 6, 2025
37 checks passed
@sfc-gh-bnisco sfc-gh-bnisco deleted the html-js-frontend branch November 6, 2025 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@graphite-app graphite-app[bot] graphite-app[bot] left review comments

Copilot code review Copilot Copilot left review comments

@sfc-gh-lwilby sfc-gh-lwilby sfc-gh-lwilby approved these changes

Assignees

No one assigned

Labels

change:feature PR contains new feature or enhancement implementation impact:users PR changes affect end users security-assessment-completed Security assessment has been completed for PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sfc-gh-bnisco @sfc-gh-lwilby