Markdown HTML Reports With Reactable Outputs Flag As Containing Viruses On Gmail/Google Drive

[martin-ingram]

I've got quite few automated reports I generate in Quarto/RMarkdown that contain reactable outputs so users can explore/preview datasets, but have noticed this morning when I'm trying to send a colleague some .html copies of these files that they are now flagging up in Gmail/Google Drive as if the file contains a virus. I've sent these files to others before without issue, and there's no issues for my other reports that don't have reactable outputs within them. Moreover, going back through my sent items to old reports I've sent, they also now get flagged as having a virus too.

I tested this in my workplace Google account, and also on my personal Google account and got the same issue. I also tested on a personal Outlook account, and got no issues, suggesting this is a Google issue thats not specific to my workplace.

I then tested this with a dummy .html file which contained only a reactable with palmerpenguins data and got the same issue, suggesting its not an issue with the datasets I'm using, or with any of my other report outputs.

I've tried updating to the latest versions of the reactable and rmarkdown packages, and get the same issue too. Currently working on R version 4.2.1 (2022-06-23) (its difficult to get latest version in my workplace)

Any advice or guidance would be greatly appreciated.

I've included the .Rmd code below to see if others can reproduce this.

`--- title: "test" output: html_document: df_print: paged theme: yeti self_contained: yes mode: selfcontained

library(tidyverse)
library(reactable)
library(palmerpenguins)

Test_Reactable <- reactable(penguins, 
          highlight = TRUE,
          resizable = TRUE, 
          borderless = FALSE, 
          wrap = TRUE, 
          striped = TRUE)
Test_Reactable

`

[glin]

That's very odd, and it could be some dependency that gets pulled in via htmlwidgets, reactR, Quarto, or R Markdown. It's hard to tell with a self-contained doc since all the dependencies get bundled into the same file. To figure out which dependency is getting flagged, could you try rendering the doc with self-contained mode turned off? That should output all the JavaScript dependencies as separate folders/files. Then you can try uploading those files one-by-one to see which one gets flagged. Just throwing out a wild guess, it may be some old version of jQuery getting pulled in from somewhere.

[pdiakumis]

Randomly stumbled on this and thought of a similar issue in the DT package which was due to a eval() in the HTML comments of all things, not sure if it helps: https://github.com/rstudio/DT/issues/1080

[glin]

Thanks for that tip. I looked into this a bit more and don't think it's the eval() comments. Those comments are in htmlwidgets and come with every htmlwidget, including DT 0.29, although that could've still been the issue with DT. I manually deleted eval() comments from a self-contained reactable doc and gmail still flagged it.

So far I've been able to appease the gmail virus scanner in two odd ways:

• By pretty-formatting the self-contained R Markdown HTML doc. No idea why this works, but it may be the best workaround now.
• By removing React from the reactable dependencies. The package can't work without React, but at least this probably narrows it down to a minified React causing the flag? This will be pretty hard to work around.