Conversation
| return ( | ||
| <div | ||
| {...props} | ||
| dangerouslySetInnerHTML={{ |
There was a problem hiding this comment.
Let's not do this. This is a big security hole.
Our goal with allow_unsafe_html wasn't to provide a way for users to do absolutely anything they wanted. Instead we were actually preparing to deprecate an existing feature (Markdown HTML support) due to security concerns. But if we just removed that feature we would break some users' apps, and that's no good. So a temporary solution was to give people an escape hatch while we developed more secure solutions for them. Let's not move back to a less secure model now.
Regarding bug #247, the Markdown component we are using should already be able to support <span style="color: blue">. You can try it out here. Their HTML support is not perfect, but it provides a little bit of filtering against obviously bad HTML code, like <script> tags.
You can do <span style="color: blue"> in the link above but not in Streamlit, so there seems to be something funny about how we're using that component. Let's fix that instead.
There was a problem hiding this comment.
Resolved using htmlParser plugin, but there is an existing module in which you can specify allowed tags to be rendered , that could be a possibilty https://www.npmjs.com/package/sanitize-html instead of using markdown.
tvst
left a comment
tvst
left a comment
There was a problem hiding this comment.
Can you also run make notices before committing?
* develop:
Read config from ${CWD}/.streamlit/config.toml (streamlit#227)
Fix unsafe_allow_html (streamlit#259)
Support cli parameters (streamlit#186)
Update README.md
Update README.md (streamlit#282)
Bug fix: make Streamlit watch files in subfolders again (streamlit#265)
fix st.code("") (streamlit#272)
different jslint commands for circleci and not (streamlit#273)
Batch updates to report elements in the App state (streamlit#194)
Minor typo in pull_request_template.md (streamlit#262)
Fix wrong quote used in the provided sample code (streamlit#267)
Fix websocket port handling (streamlit#263)
Closing sidebar when clicking outside (streamlit#223)
Version 0.47.2 (streamlit#212)
[docs] Changed value in Show progress section of docs/getting_started.md to fix error (Issue streamlit#234) (streamlit#235)
Update README.md
2 participants
Issue: #247
Decription: Replacing markdown with dangerouslySetInnerHTML
Contribution License Agreement
By submiting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.