✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

✅ PR preview is ready!

Summary

This PR adds bind="query-params" support to st.text_input and st.text_area, enabling two-way synchronization between widget values and URL query parameters. The changes span the full stack:

• Protobuf: New query_param_key field added to both TextInput and TextArea messages.
• Python backend: bind parameter added to both widget APIs, with serde truncation for max_chars, password-binding prevention, and validation.
• Frontend: queryParamBinding configuration wired into the existing useBasicWidgetState hook for both components.
• Tests: Python unit tests, frontend unit tests, and E2E tests added.
• Bug fix: Pre-existing bug in text_area_test.py corrected — test_outside_form was incorrectly checking color_picker proto instead of text_area.

Code Quality

The implementation is clean, consistent, and follows the established patterns from the existing bind support in st.color_picker. Key observations:

• The TextInputSerde and TextAreaSerde dataclasses were enhanced with max_chars for truncation during deserialization. This is important for handling URL-seeded values that may exceed max_chars. Well-designed approach.
• The password/bind guard (text_widgets.py line 415-419) is a good security practice — passwords should never appear in URLs.
• Frontend changes are minimal and leverage existing infrastructure (useBasicWidgetState hook with queryParamBinding config), following the same pattern as ColorPicker.tsx.
• The clearable: true flag is correctly set for both widgets, since empty string is a valid value for text inputs/areas.
• Docstrings are properly updated with Numpydoc style following existing patterns.

Minor note on text_widgets.py: The clearable=True is now always passed to register_widget for both text_input and text_area, even when bind is None. Per the register_widget code, when bind is None, the clearable value defaults to False anyway and is only validated when bind="query-params". So passing clearable=True unconditionally is harmless, but slightly unnecessary when bind is not set. This follows the same pattern as color_picker.py though, so it's consistent.

Test Coverage

Test coverage is thorough across all three layers:

Python unit tests (text_input_test.py, text_area_test.py):

• Tests for bind='query-params' setting query_param_key in proto.
• Tests for missing key raising StreamlitAPIException.
• Tests for invalid bind values raising StreamlitInvalidBindValueError.
• Tests for bind with default value and max_chars.
• Test for password+bind combination raising an exception (text_input only).
• The test_outside_form bug fix (color_picker → text_area) is a welcome correction.

Frontend unit tests (TextInput.test.tsx, TextArea.test.tsx):

• Query param binding registration/unregistration lifecycle tests.
• Negative test for no registration when queryParamKey is absent.
• Tests with custom default values.

E2E tests (st_text_input_test.py, st_text_area_test.py):

• Seeding from URL query params.
• URL updates on widget value change.
• Default value override and param removal when resetting to default.
• Special characters (URL encoding).
• max_chars truncation of URL-seeded values.
• Both positive and negative URL assertions.

One minor concern with E2E tests: The regex r"bound_text" (line 392, 410 of st_text_input_test.py) could theoretically match other params like bound_text_default. In practice this doesn't cause issues because those params are at their defaults and won't appear in the URL. Using a more precise regex like r"bound_text=" or r"[?&]bound_text=" would be slightly more robust, but this is a very minor nit.

Backwards Compatibility

This change is fully backwards compatible:

• The bind parameter defaults to None for both widgets, preserving existing behavior.
• The new protobuf fields (query_param_key) are optional, so older clients/servers handle them gracefully.
• The TextInputSerde and TextAreaSerde max_chars field defaults to None, meaning existing usage without max_chars is unaffected.
• No existing API signatures are changed — bind is added as a new keyword-only argument.

Security & Risk

• Password protection: The explicit guard against bind='query-params' with type='password' is a strong security measure. Passwords in URLs would be visible in browser history, server logs, and referrer headers.
• URL injection: Query param values go through standard URL encoding/decoding and the existing max_chars truncation, so there's no risk of injection.
• No regression risk: The serde truncation change is additive — max_chars=None (the default) preserves the original behavior.

Accessibility

No accessibility concerns. The frontend changes are limited to wiring up the queryParamBinding configuration object, which doesn't alter the DOM structure, ARIA attributes, or keyboard interactions. The widgets continue to use their existing accessible labels, roles, and focus management.

Recommendations

1. Minor (E2E regex precision): In st_text_input_test.py lines 392 and 410, consider using r"[?&]bound_text=" instead of r"bound_text" to avoid potential false matches with bound_text_default or bound_max. Same applies to st_text_area_test.py lines 390 and 408 with r"bound_text_area". This is a very minor robustness improvement and not a blocker.

2. Consider adding typing test: Per the lib/streamlit/AGENTS.md guidelines, there are typing tests in lib/tests/streamlit/typing/ for public API. A typing test for the new bind parameter on text_input and text_area could be added to ensure the type signature stays correct. However, if bind is already covered by an existing shared type test, this may not be needed.

Verdict

APPROVED: Clean, well-tested implementation that follows established patterns from st.color_picker's bind support. The security guard for password inputs is a thoughtful addition. All layers (proto, backend, frontend, tests) are properly covered.

This is an automated AI review by opus-4.6-thinking.