Skip to content

Fix st.Page accepting slash-only url_path without raising exception#14005

Merged
sfc-gh-bnisco merged 8 commits intostreamlit:developfrom
nileshhadalgi016:fix/page-slash-only-url-path
Feb 20, 2026
Merged

Fix st.Page accepting slash-only url_path without raising exception#14005
sfc-gh-bnisco merged 8 commits intostreamlit:developfrom
nileshhadalgi016:fix/page-slash-only-url-path

Conversation

@nileshhadalgi016
Copy link
Copy Markdown
Contributor

@nileshhadalgi016 nileshhadalgi016 commented Feb 18, 2026

Describe your changes

st.Page accepted url_path values consisting only of slashes (e.g., "/", "///") without raising a StreamlitAPIException. The existing validation only checked for whitespace-only strings via strip(), but slash-only strings passed that check. After strip("/"), they silently became empty strings, which could cause routing issues for non-default pages.

The fix: Strip slashes first, then check if the result is empty for non-default pages — raising the same exception as for empty-string url_path.

Changes

  • lib/streamlit/navigation/page.py: Added a check for slash-only url_path values. After strip("/"), if the result is empty and the page is not the default, raise StreamlitAPIException.
  • lib/tests/streamlit/navigation/page_test.py: Added test_non_default_pages_cannot_have_slash_only_url_path with test cases for "/", "//", and "///".

GitHub Issue Link (if applicable)

Closes #13952

Testing Plan

  • Unit Tests (Python): Added test_non_default_pages_cannot_have_slash_only_url_path covering "/", "//", and "///" inputs.
  • All 22 existing page tests continue to pass.
  • No manual testing needed — this is input validation logic.

Contribution License Agreement

By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.

Copilot AI review requested due to automatic review settings February 18, 2026 18:17
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Feb 18, 2026

Thanks for contributing to Streamlit! 🎈

Please make sure you have read our Contributing Guide. You can find additional information about Streamlit development in the wiki.

The review process:

  1. Initial triage: A maintainer will apply labels, approve CI to run, and trigger AI-assisted reviews. Your PR may be flagged with status:needs-product-approval if the feature requires product team sign-off.

  2. Code review: A core maintainer will start reviewing your PR once:

    • It is marked as 'ready for review', not 'draft'
    • It has status:product-approved (or doesn't need it)
    • All CI checks pass
    • All AI review comments are addressed

We're receiving many contributions and have limited review bandwidth — please expect some delay. We appreciate your patience! 🙏

@snyk-io
Copy link
Copy Markdown
Contributor

snyk-io bot commented Feb 18, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens st.Page URL-path validation to reject url_path values that consist only of slashes (e.g. "/", "///") for non-default pages, preventing them from silently normalizing to an empty route.

Changes:

  • Update StreamlitPage.__init__ validation to detect slash-only url_path values after normalization.
  • Add a unit test ensuring non-default pages raise StreamlitAPIException for slash-only url_path inputs.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
lib/streamlit/navigation/page.py Normalizes url_path and raises for non-default pages when it resolves to empty.
lib/tests/streamlit/navigation/page_test.py Adds coverage for slash-only url_path rejection on non-default pages.

@nileshhadalgi016 nileshhadalgi016 force-pushed the fix/page-slash-only-url-path branch from d1f918c to 25fbb0c Compare February 18, 2026 18:25
@nileshhadalgi016
Fix st.Page accepting slash-only url_path without raising exception
7d94248 
st.Page accepted url_path values like '/' or '///' without raising a
StreamlitAPIException. The existing check only validated whitespace-only
strings via strip(), but slash-only strings passed that check. After
strip('/'), they silently became empty strings, which could cause
routing issues for non-default pages.

The fix strips slashes first and checks if the result is empty, raising
the same exception as for empty strings.

Closes streamlit#13952
@nileshhadalgi016 nileshhadalgi016 force-pushed the fix/page-slash-only-url-path branch from 25fbb0c to 7d94248 Compare February 18, 2026 18:25
nileshhadalgi016

This comment was marked as off-topic.

Sign in to view

Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

@sfc-gh-bnisco sfc-gh-bnisco added feature:multipage-apps Related to multipage app navigation change:bugfix PR contains bug fix implementation impact:users PR changes affect end users labels Feb 18, 2026
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

@sfc-gh-bnisco sfc-gh-bnisco added the do-not-merge PR is blocked from merging label Feb 18, 2026
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

@nileshhadalgi016
refactor: improve test style per review feedback
53074c3 
- Remove unnecessary @patch for Path.is_file (callable page doesn't use it)
- Add type annotations (url_path: str, -> None)
- Format ids list one per line (line length compliance)
- Add match='empty' to pytest.raises for specific error assertion
- Wrap docstring to 88 chars
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

@sfc-gh-bnisco @claude
fix: move slash-only url_path test into DeltaGeneratorTestCase
62320e5 
Move test_non_default_pages_cannot_have_slash_only_url_path into the
StPagesTest class to ensure ScriptRunContext is properly set up. The
standalone test was failing in isolation because StreamlitPage.__init__
returns early when get_script_run_ctx() is None, skipping validation.

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Feb 20, 2026

Summary

This PR fixes a validation gap in st.Page where non-default pages could accept url_path values made only of slashes (for example "/" or "///"), which then normalized to an empty path. The update in lib/streamlit/navigation/page.py correctly treats these inputs as invalid for non-default pages and raises StreamlitAPIException, and a new unit test is added in lib/tests/streamlit/navigation/page_test.py to prevent regressions.

Code Quality

The code change is small, focused, and readable. In lib/streamlit/navigation/page.py (around lines 256-263), the implementation strips slashes once into stripped_url_path, validates emptiness after normalization, and then reuses that normalized value. This avoids duplicated normalization logic and preserves existing nested-path validation behavior.

No maintainability or style issues were identified relative to the applicable AGENTS.md guidance.

Test Coverage

Coverage is good for this bug fix:

  • lib/tests/streamlit/navigation/page_test.py adds test_non_default_pages_cannot_have_slash_only_url_path (around lines 166-172).
  • The test includes multiple high-signal edge cases ("/", "//", "///", "////", "/// ", "/\t/") and checks that the expected API exception is raised.

Given this is backend input-validation logic, unit-level coverage is appropriate and e2e coverage is not strictly necessary for this fix.

Backwards Compatibility

This introduces an intentional behavior change for previously accepted invalid inputs: non-default pages can no longer use slash-only url_path values. That is the correct fix and aligns behavior with existing empty-path constraints.

The change is otherwise backwards compatible for valid url_path values and for default-page behavior (and not default guard remains in place).

Security & Risk

No direct security concerns were found. Regression risk appears low because:

  • The patch is tightly scoped to url_path normalization/validation.
  • Existing validation checks (including nested path rejection) remain intact.
  • A regression unit test was added for the reported issue class.

Accessibility

No frontend/UI code changed in this PR, so there are no direct accessibility impacts.

Recommendations

  1. Consider adding one explicit unit test that default=True still ignores slash-only url_path inputs, to lock down default-page semantics against future refactors.

Verdict

APPROVED: The fix is correct, low-risk, and adequately covered by targeted unit tests.

This is an automated AI review by gpt-5.3-codex-high. Please verify the feedback and use your judgment.

@github-actions github-actions bot removed the do-not-merge PR is blocked from merging label Feb 20, 2026
Copilot AI reviewed Feb 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

graphite-app[bot]
graphite-app bot reviewed Feb 20, 2026
View reviewed changes
@sfc-gh-bnisco sfc-gh-bnisco merged commit 1f77f42 into streamlit:develop Feb 20, 2026
52 checks passed
This was referenced Feb 20, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@graphite-app graphite-app[bot] graphite-app[bot] left review comments

Copilot code review Copilot Copilot left review comments

@sfc-gh-bnisco sfc-gh-bnisco sfc-gh-bnisco approved these changes

Assignees

No one assigned

Labels

change:bugfix PR contains bug fix implementation feature:multipage-apps Related to multipage app navigation impact:users PR changes affect end users

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

st.Page accepts slash-only url_path (e.g. "///") without raising an exception

3 participants

@nileshhadalgi016 @sfc-gh-bnisco