html output feature

[dridk]

hi,

what about having html content as output and display the content in the browser ?

[bugy]

Hi @dridk, I find it a little bit insecure, but why not.
Is your script already writes HTML as output? And could you share, what kind of HTML do you expect (structure, elements, etc.)

[tsp-kucbd]

I hijack this threat as I had a similar one.

One example for dynamically generate html output via plotly would be

import plotly.express as px
df = px.data.iris()
fig = px.scatter(df, x="sepal_width", y="sepal_length", color="species", size='petal_length', hover_data=['petal_width'])
html_output = fig.to_html()
print(html_output)  # warning long output (3298755 characters)

html_output has following elements

print(*[x[:100] for x in html_output.splitlines()], sep='\n')

<html>
<head><meta charset="utf-8" /></head>
<body>
    <div>

                <script type="text/javascript">window.PlotlyConfig = {MathJaxConfig: 'local'};</scri
        <script type="text/javascript">/**
* plotly.js v1.51.2
* Copyright 2012-2019, Plotly, Inc.
* All rights reserved.
* Licensed under the MIT license
*/
!function(t){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=t();else if("fun
            <div id="b5ff9562-d537-42b3-9cc8-90606ec650f9" class="plotly-graph-div" style="height:10
            <script type="text/javascript">

                    window.PLOTLYENV=window.PLOTLYENV || {};

                if (document.getElementById("b5ff9562-d537-42b3-9cc8-90606ec650f9")) {
                    Plotly.newPlot(
                        'b5ff9562-d537-42b3-9cc8-90606ec650f9',
                        [{"customdata": [[0.2], [0.2], [0.2], [0.2], [0.2], [0.4], [0.3], [0.2], [0.
                        {"legend": {"itemsizing": "constant", "tracegroupgap": 0}, "margin": {"t": 6
                        {"responsive": true}
                    )
                };

            </script>
        </div>
</body>
</html>

[bugy]

Done, HTML can be enabled by setting "output_format": "html" or "output_format": "html_iframe" in script configuration.
The latter also enables linked javascript/css files (ploty example), but sacrifices Script server styles (fonts/colors/padding/etc.). So unless needed, it's better to use html

These output formats do not support: ANSI escape sequences, links highlighting, inline images.
If it's needed, please create a separate ticket.

Here is the example of the ploty output above (rendered with html_iframe):

[bugy]

Some important note regarding XSS attacks:

• html format should be safe, as Script server will do output sanitizing (e.g. removing any dangerous HTML tags/attributes). This might be unexpected behaviour in some cases, but it's better to be safe, than sorry. This protection is on dev as of today
• html_iframe has absolutely no XSS protection, to make CSS/scripts work. So please avoid using it for untrusted users

(this is also described in the Wiki now)