Added rich HTML previewer #40
Conversation
5.2curlcommands.md
Outdated
| @@ -50,6 +50,31 @@ curl -X POST -H 'Content-type: application/json' http://localhost:8080/api/admin | |||
| }' | |||
| ``` | |||
|
|
|||
| > The following HTML previewer allows users, after consent, to display HTML files that contain scripts for plotting etc. Please note, that this should not to be confused with the default HTML previewer. If you do NOT wish to add this previewer, please make sure to use the one above. | |||
There was a problem hiding this comment.
FWIW: I'm OK with just calling this something like 'Rich HTML Previewer' in terms of class name and labels and just having text here that says 'Rich HTML Previewer - Potential Issues if used with malicious content'.
There was a problem hiding this comment.
Alright, would you also suggest renaming the corresponding js and html files to richhtml.js and RichHtmlPreview.html, respectively? Sounds less scary than "insecure".
| @@ -0,0 +1,64 @@ | |||
| $(document).ready(function () { | |||
|
|
|||
| const MESSAGE = "This data file includes JavaScript which may need to run for the data to display properly.\n\nYou can click the OK to allow the JavaScript to run, but be sure you trust this datafile as a malicious JavaScript could harm your computer (with the same concerns as if you went to a malicious website outside of Dataverse).\n\nIf you wish to not run the complete page, click Abort to be redirected to Dataverse." | |||
There was a problem hiding this comment.
Can you use the $.i18n mechanism for this text?
There was a problem hiding this comment.
I haven't used i18n before. Is this the correct usage?
$.i18n(...message...)There was a problem hiding this comment.
~yes - your message text goes in https://github.com/gdcc/dataverse-previewers/blob/develop/previewers/betatest/i18n/en.json and you reference by the title you give it.
There was a problem hiding this comment.
Thanks, just commited the changes.
Overview
As discussed in issue #31 and in previous chats with @qqmyers and @pdurbin, this PR introduces an insecure HTML previewer to allow users to display pages that contain
scripttags. This is especially useful in cases where interactive figures or other third-party libraries are involved in rendering data.How it works
Upon redirecting to the external tool, the user is presented with a confirmation window that discloses the potential risks of using the previewer. The whole HTML page will be rendered with its script content if given consent. The user will be redirected to the dataset page if no consent is given.
Example
I've included an example based on an example found on this DaRUS file using Plotly for an interactive plot. For reproducibility adapt the following URL:
Using the default HTML previewer
Using the rich HTML previewer from this PR
The consent message