Skip to content

improvement: allow <script src/> in html #2931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mscolnick merged 1 commit into from
Nov 22, 2024
Merged

improvement: allow <script src/> in html #2931

mscolnick merged 1 commit into from
Nov 22, 2024

Conversation

@mscolnick
Copy link
Contributor

@mscolnick mscolnick commented Nov 22, 2024
edited
Loading

This allows <script src/> tags to be properly created. This doesn't open up a new attack vector since this is already possible today with anywidget (running javascript)

cc @koaning

@vercel
Copy link

vercel bot commented Nov 22, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
marimo-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Nov 22, 2024 3:47pm
marimo-storybook ✅ Ready (Inspect) Visit Preview 💬 Add feedback Nov 22, 2024 3:47pm

koaning
koaning reviewed Nov 22, 2024
View reviewed changes
frontend/src/plugins/core/RenderHTML.tsx

const replaceSrcScripts = (domNode: DOMNode): JSX.Element | undefined => {
if (domNode instanceof Element && domNode.name === "script") {
// Missing src, we don't handle inline scripts
Copy link
Contributor

@koaning koaning Nov 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically, I guess I might want to add inline scripts in mohtml at some point? Maybe via alpine.js or surreal.js. That way you can easily use it to build custom components for Python classes.

Copy link
Contributor Author

@mscolnick mscolnick Nov 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe, its not hard to add, but tempted to just hold off and see why people need it, if people do, this is the change

const replaceSrcScripts = (domNode: DOMNode): JSX.Element | undefined => {
  if (domNode instanceof Element && domNode.name === "script") {
    const { src, ...attrs } = domNode.attribs;

    // Handle inline scripts
    if (!src) {
      const script = document.createElement("script");
      // Set any additional attributes
      Object.entries(attrs).forEach(([key, value]) => {
        script.setAttribute(key, value);
      });
      // Set content if any exists
      if (domNode.children?.[0]?.data) {
        script.textContent = domNode.children[0].data;
      }
      document.head.append(script);
      return <></>;
    }

    // Handle src scripts
    if (!document.querySelector(`script[src="${src}"]`)) {
      const script = document.createElement("script");
      script.src = src;
      // Set any additional attributes
      Object.entries(attrs).forEach(([key, value]) => {
        script.setAttribute(key, value);
      });
      document.head.append(script);
    }
    return <></>;
  }
};

@mscolnick mscolnick merged commit 17f37f5 into main Nov 22, 2024
31 of 33 checks passed
@mscolnick mscolnick deleted the ms/script-tags branch November 22, 2024 17:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@koaning koaning koaning left review comments

@akshayka akshayka akshayka approved these changes

Assignees

No one assigned

Labels

merge when ready

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mscolnick @koaning @akshayka