You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@beam.apache.org by GitBox <gi...@apache.org> on 2020/08/05 14:31:25 UTC
[GitHub] [beam] prodonjs commented on a change in pull request #12460: [BEAM-10545] HtmlView module
prodonjs commented on a change in pull request #12460:
URL: https://github.com/apache/beam/pull/12460#discussion_r465764186
##########
File path: sdks/python/apache_beam/runners/interactive/extensions/apache-beam-jupyterlab-sidepanel/src/common/HtmlView.tsx
##########
@@ -0,0 +1,119 @@
+// Licensed under the Apache License, Version 2.0 (the 'License'); you may not
+// use this file except in compliance with the License. You may obtain a copy of
+// the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations under
+// the License.
+
+import * as React from 'react';
+
+export interface IHtmlProvider {
+ readonly html: string;
+ readonly script: Array<string>;
Review comment:
*nit* I think it's generally preferred to use `string[]` for primitive array types.
##########
File path: sdks/python/apache_beam/runners/interactive/extensions/apache-beam-jupyterlab-sidepanel/src/common/HtmlView.tsx
##########
@@ -0,0 +1,119 @@
+// Licensed under the Apache License, Version 2.0 (the 'License'); you may not
+// use this file except in compliance with the License. You may obtain a copy of
+// the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations under
+// the License.
+
+import * as React from 'react';
+
+export interface IHtmlProvider {
+ readonly html: string;
+ readonly script: Array<string>;
+}
+
+interface IHtmlViewProps {
+ htmlProvider: IHtmlProvider;
+}
+
+interface IHtmlViewState {
+ innerHtml: string;
+ script: Array<string>;
+}
+
+/**
+ * A common HTML viewing component that renders given HTML and executes scripts
+ * from the given provider.
+ */
+export class HtmlView extends React.Component<IHtmlViewProps, IHtmlViewState> {
+ constructor(props: IHtmlViewProps) {
+ super(props);
+ this.state = {
+ innerHtml: props.htmlProvider.html,
+ script: []
+ };
+ }
+
+ componentDidMount(): void {
+ this._updateRenderTimerId = setInterval(() => this.updateRender(), 1000);
+ }
+
+ componentWillUnmount(): void {
+ clearInterval(this._updateRenderTimerId);
+ }
+
+ updateRender(): void {
+ const currentHtml = this.state.innerHtml;
+ const htmlToUpdate = this.props.htmlProvider.html;
+ const currentScript = this.state.script;
+ const scriptToUpdate = [...this.props.htmlProvider.script];
+ if (htmlToUpdate !== currentHtml) {
+ this.setState({
+ innerHtml: htmlToUpdate,
+ // As long as the html is updated, clear the script state.
+ script: []
+ });
+ }
+ /* Depending on whether this iteration updates the html, the scripts
+ * are executed differently.
+ * Html updated: all scripts are new, start execution from index 0;
+ * Html not updated: only newly added scripts need to be executed.
+ */
+ const currentScriptLength =
+ htmlToUpdate === currentHtml ? currentScript.length : 0;
+ if (scriptToUpdate.length > currentScriptLength) {
+ this.setState(
+ {
+ script: scriptToUpdate
+ },
+ // Executes scripts once the state is updated.
+ () => {
+ for (let i = currentScriptLength; i < scriptToUpdate.length; ++i) {
+ new Function(scriptToUpdate[i])();
+ }
+ }
+ );
+ }
+ }
+
+ render(): React.ReactNode {
+ return (
+ // This injects raw HTML fetched from kernel into JSX.
+ <div dangerouslySetInnerHTML={{ __html: this.state.innerHtml }} />
Review comment:
Haha as the property name suggests, this is definitely a risky operation from a security perspective since the markup being injected has the ability to run scripts in the user's context with access to whatever resources their credentials provide.
Is there any alternative that could be considered? Could you create an `<iframe>` element and render the HTML there so that it's sandboxed? I don't have any fundamental objections to this as I don't know the full context, bu I know this type of thing has been looked upon with significant concern by our internal security reviewers and has implications for us being able to include certain types of extensions in our enterprise product.
##########
File path: sdks/python/apache_beam/runners/interactive/extensions/apache-beam-jupyterlab-sidepanel/src/common/HtmlView.tsx
##########
@@ -0,0 +1,119 @@
+// Licensed under the Apache License, Version 2.0 (the 'License'); you may not
+// use this file except in compliance with the License. You may obtain a copy of
+// the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations under
+// the License.
+
+import * as React from 'react';
+
+export interface IHtmlProvider {
+ readonly html: string;
+ readonly script: Array<string>;
+}
+
+interface IHtmlViewProps {
+ htmlProvider: IHtmlProvider;
+}
+
+interface IHtmlViewState {
+ innerHtml: string;
+ script: Array<string>;
+}
+
+/**
+ * A common HTML viewing component that renders given HTML and executes scripts
+ * from the given provider.
+ */
+export class HtmlView extends React.Component<IHtmlViewProps, IHtmlViewState> {
+ constructor(props: IHtmlViewProps) {
+ super(props);
+ this.state = {
+ innerHtml: props.htmlProvider.html,
+ script: []
+ };
+ }
+
+ componentDidMount(): void {
+ this._updateRenderTimerId = setInterval(() => this.updateRender(), 1000);
+ }
+
+ componentWillUnmount(): void {
+ clearInterval(this._updateRenderTimerId);
+ }
+
+ updateRender(): void {
+ const currentHtml = this.state.innerHtml;
+ const htmlToUpdate = this.props.htmlProvider.html;
+ const currentScript = this.state.script;
+ const scriptToUpdate = [...this.props.htmlProvider.script];
+ if (htmlToUpdate !== currentHtml) {
+ this.setState({
+ innerHtml: htmlToUpdate,
+ // As long as the html is updated, clear the script state.
+ script: []
+ });
+ }
+ /* Depending on whether this iteration updates the html, the scripts
+ * are executed differently.
+ * Html updated: all scripts are new, start execution from index 0;
+ * Html not updated: only newly added scripts need to be executed.
+ */
+ const currentScriptLength =
+ htmlToUpdate === currentHtml ? currentScript.length : 0;
+ if (scriptToUpdate.length > currentScriptLength) {
+ this.setState(
+ {
+ script: scriptToUpdate
+ },
+ // Executes scripts once the state is updated.
+ () => {
+ for (let i = currentScriptLength; i < scriptToUpdate.length; ++i) {
+ new Function(scriptToUpdate[i])();
+ }
+ }
+ );
+ }
+ }
+
+ render(): React.ReactNode {
+ return (
+ // This injects raw HTML fetched from kernel into JSX.
+ <div dangerouslySetInnerHTML={{ __html: this.state.innerHtml }} />
+ );
+ }
+
+ private _updateRenderTimerId: number;
+}
+
+/**
+ * Makes the browser support HTML import and import HTML from given hrefs if
+ * any is given.
+ *
+ * Native HTML import has been deprecated by modern browsers. To support
+ * importing reusable HTML templates, webcomponentsjs library is needed.
+ * The given hrefs will be imported once the library is loaded.
+ *
+ * Note everything is appended to head and if there are duplicated HTML
+ * imports, only the first one will take effect.
+ */
+export function importHtml(hrefs: Array<string>): void {
Review comment:
Is this only included for test purposes? Or is there somewhere else that it's expected to be used.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org