Chatbot sanitize removes scripting from messages.

[jrowen]

Describe the bug

A recent update to the chatbot (#4360) is now removing script tags from chatbot messages. For example, I'm trying to append a button tag with an onclick property, but the onclick is being removed when the message is displayed in the chatbot: <button style="font-size:18px;" onclick="alert(\'good\')">Click</button>

Have you searched existing issues? 🔎

• I have searched and found no existing issues

Reproduction

Include the following in a chatbot response: <button style="font-size:18px;" onclick="alert(\'good\')">Click</button>

Screenshot

No response

Logs

No response

System Info

Gradio Environment Information:
------------------------------
Operating System: Linux
gradio version: 3.41.2
gradio_client version: 0.5.0

------------------------------------------------
gradio dependencies in your environment:

aiofiles: 23.2.1
altair: 5.1.0
fastapi: 0.103.0
ffmpy: 0.3.1
gradio-client==0.5.0 is not installed.
httpx: 0.24.1
huggingface-hub: 0.16.4
importlib-resources: 6.0.1
jinja2: 3.1.2
markupsafe: 2.1.3
matplotlib: 3.7.2
numpy: 1.25.2
orjson: 3.9.5
packaging: 23.1
pandas: 2.0.3
pillow: 10.0.0
pydantic: 1.10.12
pydub: 0.25.1
python-multipart: 0.0.6
pyyaml: 6.0.1
requests: 2.31.0
semantic-version: 2.10.0
typing-extensions: 4.5.0
uvicorn: 0.23.2
websockets: 11.0.3
authlib; extra == 'oauth' is not installed.
itsdangerous; extra == 'oauth' is not installed.


gradio_client dependencies in your environment:

fsspec: 2023.6.0
httpx: 0.24.1
huggingface-hub: 0.16.4
packaging: 23.1
requests: 2.31.0
typing-extensions: 4.5.0
websockets: 11.0.3

Severity

Blocking usage of gradio

[abidlabs]

Hi @jrowen we've just added a kwarg to disable html sanitization in the gr.Chatbot -- see here: #5304

You can see instructions in the PR on how to install gradio from the PR branch, or you can wait until we release a version of gradio (probably later this week).