Skip to content

1957 svg string fix #2666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AnOctopus merged 15 commits into from
Feb 2, 2021
Merged

1957 svg string fix #2666

AnOctopus merged 15 commits into from
Feb 2, 2021

Conversation

@AnOctopus
Copy link
Contributor

@AnOctopus AnOctopus commented Jan 27, 2021

Issue: #1957

Description: A continuation of the work done in #2003

yashshah1 and others added 14 commits October 21, 2020 00:59
@AnOctopus AnOctopus marked this pull request as ready for review February 1, 2021 23:50
@AnOctopus AnOctopus requested a review from a team February 1, 2021 23:50
tconkling
tconkling approved these changes Feb 2, 2021
View reviewed changes
Copy link
Contributor

@tconkling tconkling left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! If it's not too onerous, I think one additional test that asserts that SVGs are actually being run through our sanitizer would be useful as well (see comment above below).

e2e/specs/st_image.spec.js
Comment on lines +94 to +105

it("displays SVG images that load external images", () => {
cy.get("[data-testid='stImage'] svg")
.eq(0)
.matchImageSnapshot("karriebear-avatar");
});

it("displays links in text as text", () => {
cy.get("[data-testid='stImage'] svg")
.eq(1)
.should("contain", "avatars.githubusercontent");
});
Copy link
Contributor

@tconkling tconkling Feb 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming it would be relatively easy to construct, could you add a test case that verifies that SVG sanitization is actually happening? Like, an SVG test string that will log to the console or open a modal or something else detectable - and a test that asserts that code doesn't actually get run?

(The test could either go in here, or possibly just in ImageList.test.tsx to prevent having to do all the e2e machinery.)

Copy link
Contributor

@karriebear karriebear Feb 2, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm just popping in to point out how I am now part of our codebase 😈

.matchImageSnapshot("karriebear-avatar");

Copy link
Contributor Author

@AnOctopus AnOctopus Feb 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, I'll write that now

Copy link
Contributor Author

@AnOctopus AnOctopus Feb 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was actually not easy to construct, at least in a form that would make me confident my test could catch an issue if we didn't do sanitization, because either I'm writing the code wrong, or because the automatic partial jsx sanitization is catching it. Either way, I don't want to include a test for something if it will give unwarranted confidence that it would alert us if something started going wrong.

@AnOctopus
Rename svg sanitization function for clarity
4b1e67c 
As suggested in code review.
@AnOctopus AnOctopus merged commit 5ccd762 into streamlit:develop Feb 2, 2021
@AnOctopus AnOctopus deleted the 1957-svg-string-fix branch February 2, 2021 18:33
@AnOctopus AnOctopus mentioned this pull request Feb 2, 2021
Closed
tconkling added a commit to tconkling/streamlit that referenced this pull request Feb 2, 2021
@tconkling
Merge branch 'develop' into tim/FormProto
f0c785a 
* develop:
  Fix svg rendering in st.image() (streamlit#2666)
  Indicate widgets need to have labels (streamlit#2688)
  Clean up file update calls (streamlit#2597)
  Revert "🔧 "Run on save" now defaults to true (streamlit#2641)" (streamlit#2694)
tconkling added a commit to tconkling/streamlit that referenced this pull request Feb 2, 2021
@tconkling
Merge branch 'develop' into tim/AddWatchdogToTestRequirements
7bc0ef8 
* develop:
  Fix svg rendering in st.image() (streamlit#2666)
  Indicate widgets need to have labels (streamlit#2688)
  Clean up file update calls (streamlit#2597)
  Revert "🔧 "Run on save" now defaults to true (streamlit#2641)" (streamlit#2694)
@karriebear karriebear mentioned this pull request Feb 9, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@karriebear karriebear karriebear left review comments

@tconkling tconkling tconkling approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AnOctopus @tconkling @karriebear @yashshah1