Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
dash-dangerously-set-inner-html
Advanced tools
Render a string of raw, unescaped HTML.
This uses React.js's dangerouslySetInnerHTML
method.
From React.js's documentation, note that:
Setting HTML from code is risky because it's easy to inadvertently expose your users to a cross-site scripting (XSS) (https://en.wikipedia.org/wiki/Cross-site_scripting) attack.
So, you can set HTML directly in Dash through React.js, but you have to type out dangerouslySetInnerHTML to remind yourself that it's dangerous.
In most cases, you are safer using the Dash HTML component classes,
dash-html-components (https://github.com/plotly/dash-html-components).
You can also provide HTML in a sandboxed iframe using the
dash_html_components.IFrame(srcDoc='raw html here')
component, see https://community.plot.ly/t/rendering-html-similar-to-markdown/6232/2?u=chriddyp
Note that the elements in the HTML block that is generated can not be targeted with Dash callbacks.
Install with
pip install dash-dangerously-set-inner-html
import dash_dangerously_set_inner_html
import dash
import dash_html_components as html
app = dash.Dash('')
app.scripts.config.serve_locally = True
app.layout = html.Div([
dash_dangerously_set_inner_html.DangerouslySetInnerHTML('''
<h1>Header</h1>
'''),
])
if __name__ == '__main__':
app.run_server(debug=True)
Go to this link to learn about Dash.
# Install dependencies
$ npm install
# Watch source for changes and build to `lib/`
$ npm start
You can start up a demo development server to see a demo of the rendered components:
$ builder run demo
$ open http://localhost:9000
You have to maintain the list of components in demo/Demo.react.js
.
$ npm test
$ npm run test-watch
$ npm run test-debug
Cmd+opt+i
).webpack:// -> . -> spec/components
to find your test source files.webpack:// -> [your/repo/path]] -> dash-dangerously-set-inner-html -> src
to find your component source files.In your test, append .only
to a describe
or it
statement:
describe.only('Foo component', () => {
// ...
});
Build development bundle to lib/
and watch for changes
# Once this is started, you can just leave it running.
$ npm start
Install module locally (after every change)
# Generate metadata, and build the JavaScript bundle
$ npm run install-local
# Now you're done. For subsequent changes, if you've got `npm start`
# running in a separate process, it's enough to just do:
$ python setup.py install
Run the dash layout you want to test
# Import dash-dangerously-set-inner-html to your layout, then run it:
$ python my_dash_layout.py
TODO: There is a workflow that links your module into site-packages
which would
make it unnecessary to re-run 2.
on every change: python setup.py develop
.
Unfortunately, this doesn't seem to work with resources defined in
package_data
.
See https://github.com/plotly/dash-components-archetype/issues/20
Before publishing to PyPi, you can test installing the module locally:
# Install in `site-packages` on your machine
$ npm run install-local
$ npm run uninstall-local
For now, multiple steps are necessary for publishing to NPM and PyPi, respectively. TODO: #5 will roll up publishing steps into one workflow.
Ask @chriddyp to get NPM / PyPi package publishing accesss.
Preparing to publish to NPM
# Bump the package version
$ npm version major|minor|patch
# Push branch and tags to repo
$ git push --follow-tags
Preparing to publish to PyPi
# Bump the PyPi package to the same version
$ vi setup.py
# Commit to github
$ git add setup.py
$ git commit -m "Bump pypi package version to vx.x.x"
Publish to npm and PyPi
$ npm run publish-all
We use Builder to centrally manage build configuration, dependencies, and scripts.
To see all builder
scripts available:
$ builder help
See the dash-components-archetype repo for more information.
0.0.2 - 2018-12-18
prop-types
instead of React.PropTypes for React 15 & 16 supportFAQs
A dash component for specifying raw HTML
The npm package dash-dangerously-set-inner-html receives a total of 373 weekly downloads. As such, dash-dangerously-set-inner-html popularity was classified as not popular.
We found that dash-dangerously-set-inner-html demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 23 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.