Ag-Grid component with input support

I had this problem on streamlit-echarts and I found a workaround inside the pyecharts codebase that I found OK for my needs. Which is actually what @Shinigami86 says :

I basically enclose any JS code with some placeholder values on the Python side,

class JsCode:
    def __init__(self, js_code: str):
        js_placeholder = "--x_x--0_0--"
        self.js_code = f"{js_placeholder}{js_code}{js_placeholder}"

then I map over every (nested) value of the JSON, regex each one of them for those placeholders and rebuild the functions with new Function syntax which should not eval immediately so aggrid should be the sole runner of the function (you can check in https://github.com/andfanilo/streamlit-echarts/tree/master/streamlit_echarts/frontend/src how I did this)

There’s been a lot of debate over the security concern within the Streamlit team and component creators (like this similar one Disqus integration - #12 by tim). But ultimately from my experience on streamlit-echarts:

  • at least for Streamlit sharing apps, every of those are open-source on Github, so anyone can check if an app is running some malicious JS code
  • as long as you don’t enable live-editing of JS code to configure the grid (like “insert your own JS snippet in this text box” to then inject in your JSON config) then the Streamlit user of st_aggrid should be the only one accountable for running JS, not millions of users using the deployed app and running malicious JS for everyone in place of some text color config
  • echarts and aggrid may actually have safeguards on JS code, I have not checked.

So for me, given those constraints the benefits outweighs the risks, but ultimately this stays your decision as the library maintainer :slight_smile:

Oh that’s a good idea! If really you feel at odd with the “inject JS” idea (which really is understandable), one can have a st_aggrid then a st_aggrid_unsafe which enables JS code in configuration but also writes a st.info("This code uses the unsafe version of st_aggrid") or something for the user of the app.

3 Likes