-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow HTML in alert modals #8817
Conversation
🪼 branch checks and previews
Install Gradio from this PR pip install https://gradio-builds.s3.amazonaws.com/e732b3b6a8f375788e18979e3e6fab1bc064aaa7/gradio-4.38.1-py3-none-any.whl Install Gradio Python Client from this PR pip install "gradio-client @ git+https://github.com/gradio-app/gradio@e732b3b6a8f375788e18979e3e6fab1bc064aaa7#subdirectory=client/python" Install Gradio JS Client from this PR npm install https://gradio-builds.s3.amazonaws.com/e732b3b6a8f375788e18979e3e6fab1bc064aaa7/gradio-client-1.3.0.tgz |
🦄 change detectedThis Pull Request includes changes to the following packages.
With the following changelog entry.
Maintainers or the PR author can modify the PR title to modify this entry.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this safe? Is there a scenario in which an error message is being embedded in the returned HTML and a user could manipulate this process and inject something harmful, either directly or via a mitm attack?
At the very least we need to escape the HTML.
Ok @pngwn I am now sanitizing the HTML, which at least makes this consistent with our other Markdown or HTML-based components. Let me know if you have any further suggestions, thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great. Thanks @abidlabs!
Allows HTML in
gr.Info()
,gr.Warning()
,gr.Error()
, etc.Context: internal link. cc @gary149 @julien-c
Note: downstream clients who receive a
gr.Error
will see the original raw html string, but I don't think that's a problem.