search

h2oai / wave

Realtime Web Apps and Dashboards for Python and R
https://wave.h2o.ai
Apache License 2.0
3.97k stars 327 forks source link

ui.table with markdown doesn't render text html.escape() #2392

Open pascal-pfeiffer opened 18 hours ago

pascal-pfeiffer commented 18 hours ago

Wave SDK Version, OS

Wave 1.5.1

Actual behavior

Given I have some html text that I want to display in ui.table, together with other markdown text in the the same column. I want to prevent code injection attacks, so I am using html.escape() on all text first.

When rendering in Wave, some escaped html characters are not visualized correctly:

escaped csv 

Name: Content, dtype: object
0                                         <ul>\r
1                                         <ul>\r
2        <li><label for="usermail&quo...
3        <li><label for="usermail&quo...
Name: Content, dtype: object

so, somehow <ul> gets visualized correctly while <li><label for="usermail">Email</label> is rendered with escaped strings &lt;.

image

Expected behavior

Render escaped markdown in ui.table()

Potential improvement

Add a flag to force safe rendering in ui.table() to reduce the risk of code injection.

pascal-pfeiffer commented 17 hours ago

This gets even more complex when combined with code fields. In this case, I would not want to escape anything inside the code blocks, but escape anything outside of them to prevent code injection.