@marimo-team/frontend 0.23.1-dev9 → 0.23.1

package/src/plugins/impl/data-explorer/DataExplorerPlugin.tsx

@@ -3,7 +3,6 @@ import "../vega/vega.css";
 
 import React from "react";
 import { z } from "zod";
-import { TooltipProvider } from "@/components/ui/tooltip";
 import { createPlugin } from "@/plugins/core/builder";
 import type { DataExplorerState } from "./ConnectedDataExplorerComponent";
 
@@ -21,11 +20,9 @@ export const DataExplorerPlugin = createPlugin<DataExplorerState>(
     }),
   )
   .renderer((props) => (
-    <TooltipProvider>
-      <LazyDataExplorerComponent
-        {...props.data}
-        value={props.value}
-        setValue={props.setValue}
-      />
-    </TooltipProvider>
+    <LazyDataExplorerComponent
+      {...props.data}
+      value={props.value}
+      setValue={props.setValue}
+    />
   ));

package/src/plugins/impl/mpl-interactive/MplInteractivePlugin.tsx

@@ -5,12 +5,14 @@ import { useCallback, useEffect, useRef } from "react";
 import { z } from "zod";
 import { useEventListener } from "@/hooks/useEventListener";
 import { createPlugin } from "@/plugins/core/builder";
+import { isTrustedVirtualFileUrl } from "@/plugins/core/trusted-url";
 import { MODEL_MANAGER, type Model } from "@/plugins/impl/anywidget/model";
 import type { ModelState, WidgetModelId } from "@/plugins/impl/anywidget/types";
 import type { IPluginProps } from "@/plugins/types";
 import { downloadBlob } from "@/utils/download";
 import { Logger } from "@/utils/Logger";
 import { MplCommWebSocket } from "./mpl-websocket-shim";
+import { Functions } from "@/utils/functions";
 
 const MPL_SCOPE_CLASS = "mpl-interactive-figure";
 
@@ -73,6 +75,11 @@ async function ensureMplJs(jsUrl: string): Promise<void> {
   if (window.mpl) {
     return;
   }
+  if (!isTrustedVirtualFileUrl(jsUrl)) {
+    throw new Error(
+      `Refusing to load mpl.js from untrusted URL: ${String(jsUrl)}`,
+    );
+  }
   if (mplJsLoading) {
     return mplJsLoading;
   }
@@ -148,6 +155,12 @@ function patchToolbarImages(
 }
 
 function injectCss(container: HTMLElement, cssUrl: string): () => void {
+  if (!isTrustedVirtualFileUrl(cssUrl)) {
+    Logger.error(
+      `Refusing to load mpl CSS from untrusted URL: ${String(cssUrl)}`,
+    );
+    return Functions.NOOP;
+  }
   const link = document.createElement("link");
   link.rel = "stylesheet";
   link.href = cssUrl;
@@ -307,3 +320,11 @@ const MplInteractiveSlot = (props: IPluginProps<ModelIdRef, Data>) => {
   // Must match _MPL_SCOPE in from_mpl_interactive.py
   return <div ref={containerRef} className={MPL_SCOPE_CLASS} />;
 };
+
+export const visibleForTesting = {
+  ensureMplJs,
+  injectCss,
+  resetMplJsLoading: () => {
+    mplJsLoading = null;
+  },
+};

package/src/plugins/impl/mpl-interactive/__tests__/MplInteractivePlugin.test.tsx

@@ -0,0 +1,119 @@
+/* Copyright 2026 Marimo. All rights reserved. */
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { Logger } from "@/utils/Logger";
+import { visibleForTesting } from "../MplInteractivePlugin";
+
+const { ensureMplJs, injectCss, resetMplJsLoading } = visibleForTesting;
+
+describe("MplInteractivePlugin URL validation", () => {
+  beforeEach(() => {
+    // Reset module-level script-loading state and any stubs.
+    delete (window as { mpl?: unknown }).mpl;
+    resetMplJsLoading();
+    // Remove any scripts the tests added to document.head.
+    for (const el of document.head.querySelectorAll(
+      "script[data-test-mpl],link[data-test-mpl]",
+    )) {
+      el.remove();
+    }
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  describe("ensureMplJs", () => {
+    it("rejects the PoC attack URL without creating a <script>", async () => {
+      const appendSpy = vi.spyOn(document.head, "append");
+      await expect(ensureMplJs("http://127.0.0.1:8820/poc.js")).rejects.toThrow(
+        /untrusted/i,
+      );
+      expect(appendSpy).not.toHaveBeenCalled();
+    });
+
+    it.each([
+      "https://evil.example.com/x.js",
+      "//evil.example.com/x.js",
+      "javascript:alert(1)",
+      "data:text/javascript;base64,YWxlcnQoMSk=",
+      "./@file/x.js?redirect=http://evil.com",
+    ])("rejects %s", async (url) => {
+      const appendSpy = vi.spyOn(document.head, "append");
+      await expect(ensureMplJs(url)).rejects.toThrow(/untrusted/i);
+      expect(appendSpy).not.toHaveBeenCalled();
+    });
+
+    it("is a no-op when window.mpl is already present", async () => {
+      (window as { mpl?: unknown }).mpl = {};
+      const appendSpy = vi.spyOn(document.head, "append");
+      // Even a malicious URL should be ignored — short-circuit happens first.
+      await expect(
+        ensureMplJs("http://evil.example.com/x.js"),
+      ).resolves.toBeUndefined();
+      expect(appendSpy).not.toHaveBeenCalled();
+    });
+
+    it("creates a <script src> for a trusted virtual file URL", async () => {
+      const appendSpy = vi
+        .spyOn(document.head, "append")
+        .mockImplementation((...nodes) => {
+          // Simulate a successful load so ensureMplJs resolves.
+          for (const node of nodes) {
+            if (node instanceof HTMLScriptElement) {
+              queueMicrotask(() => node.onload?.(new Event("load")));
+            }
+          }
+        });
+
+      await expect(ensureMplJs("./@file/123-mpl.js")).resolves.toBeUndefined();
+
+      expect(appendSpy).toHaveBeenCalledTimes(1);
+      const appended = appendSpy.mock.calls[0][0] as HTMLScriptElement;
+      expect(appended.tagName).toBe("SCRIPT");
+      expect(appended.src).toContain("@file/123-mpl.js");
+    });
+  });
+
+  describe("injectCss", () => {
+    it("refuses to append <link> for the PoC attack CSS URL", () => {
+      const container = document.createElement("div");
+      const loggerSpy = vi.spyOn(Logger, "error").mockImplementation(() => {});
+
+      const cleanup = injectCss(container, "http://127.0.0.1:8820/x.css");
+
+      expect(container.querySelector("link")).toBeNull();
+      expect(loggerSpy).toHaveBeenCalledWith(
+        expect.stringContaining("untrusted"),
+      );
+      // Cleanup must be safe to call even when nothing was appended.
+      expect(() => cleanup()).not.toThrow();
+    });
+
+    it.each([
+      "https://evil.example.com/x.css",
+      "javascript:alert(1)",
+      "data:text/css,body{background:red}",
+    ])("refuses to append <link> for %s", (url) => {
+      const container = document.createElement("div");
+      vi.spyOn(Logger, "error").mockImplementation(() => {});
+
+      injectCss(container, url);
+
+      expect(container.querySelector("link")).toBeNull();
+    });
+
+    it("appends a <link> for a trusted virtual file URL", () => {
+      const container = document.createElement("div");
+
+      const cleanup = injectCss(container, "./@file/456-mpl.css");
+
+      const link = container.querySelector("link");
+      expect(link).not.toBeNull();
+      expect(link?.rel).toBe("stylesheet");
+      expect(link?.getAttribute("href")).toBe("./@file/456-mpl.css");
+
+      cleanup();
+      expect(container.querySelector("link")).toBeNull();
+    });
+  });
+});

package/src/plugins/impl/panel/PanelPlugin.tsx

@@ -10,6 +10,7 @@ import {
 } from "@/hooks/useEventListener";
 import { createPlugin } from "@/plugins/core/builder";
 import { rpc } from "@/plugins/core/rpc";
+import { isTrustedVirtualFileUrl } from "@/plugins/core/trusted-url";
 import type { IPluginProps } from "@/plugins/types";
 import { Logger } from "@/utils/Logger";
 import { EventBuffer, extractBuffers, MessageSchema } from "./utils";
@@ -64,7 +65,7 @@ declare global {
 }
 
 interface PanelData {
-  extension: string | null;
+  extensionUrl: string | null;
   docs_json: Record<string, unknown>;
   render_json: {
     roots: Record<string, string>;
@@ -85,7 +86,7 @@ type PluginFunctions = {
 export const PanelPlugin = createPlugin<T>("marimo-panel")
   .withData(
     z.object({
-      extension: z.string().nullable(),
+      extensionUrl: z.string().nullable(),
       docs_json: z.record(z.string(), z.unknown()),
       render_json: z
         .object({
@@ -110,9 +111,34 @@ function isBokehLoaded() {
   return window.Bokeh != null;
 }
 
+/**
+ * Append a `<script src>` for the bokeh/panel extension.
+ *
+ * The URL must be a marimo virtual file path; anything else (e.g. an
+ * attacker-controlled URL injected via a raw `<marimo-panel>` element in a
+ * markdown cell) is refused.
+ */
+export function loadPanelExtension(extensionUrl: string | null): boolean {
+  if (!extensionUrl) {
+    return false;
+  }
+  if (!isTrustedVirtualFileUrl(extensionUrl)) {
+    Logger.error(
+      `Refusing to load Panel extension from untrusted URL: ${String(
+        extensionUrl,
+      )}`,
+    );
+    return false;
+  }
+  const script = document.createElement("script");
+  script.src = extensionUrl;
+  document.head.append(script);
+  return true;
+}
+
 const PanelSlot = (props: Props) => {
   const { data, functions, host } = props;
-  const { extension, docs_json: docsJson, render_json: renderJson } = data;
+  const { extensionUrl, docs_json: docsJson, render_json: renderJson } = data;
   const ref = useRef<HTMLDivElement>(null);
   const rootModelIdRef = useRef<string | null>(null);
   const receiverRef = useRef<InstanceType<
@@ -173,12 +199,7 @@ const PanelSlot = (props: Props) => {
       return;
     }
 
-    // Load the extension
-    if (extension) {
-      const script = document.createElement("script");
-      script.innerHTML = extension;
-      document.head.append(script);
-    }
+    loadPanelExtension(extensionUrl);
 
     // Check if Bokeh is loaded every 10ms
     const checkBokeh = setInterval(() => {
@@ -189,7 +210,7 @@ const PanelSlot = (props: Props) => {
     }, 10);
 
     return () => clearInterval(checkBokeh);
-  }, [extension, setLoaded]);
+  }, [extensionUrl, setLoaded]);
 
   // Listen for incoming messages
   useEventListener(

package/src/plugins/impl/panel/__tests__/PanelPlugin.test.ts

@@ -0,0 +1,60 @@
+/* Copyright 2026 Marimo. All rights reserved. */
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { Logger } from "@/utils/Logger";
+import { loadPanelExtension } from "../PanelPlugin";
+
+describe("loadPanelExtension", () => {
+  beforeEach(() => {
+    for (const el of document.head.querySelectorAll("script")) {
+      el.remove();
+    }
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("does nothing and returns false for null URL", () => {
+    const appendSpy = vi.spyOn(document.head, "append");
+    expect(loadPanelExtension(null)).toBe(false);
+    expect(appendSpy).not.toHaveBeenCalled();
+  });
+
+  it("refuses to load the PoC attack URL", () => {
+    const appendSpy = vi.spyOn(document.head, "append");
+    const loggerSpy = vi.spyOn(Logger, "error").mockImplementation(() => {});
+
+    expect(loadPanelExtension("http://127.0.0.1:8820/poc.js")).toBe(false);
+
+    expect(appendSpy).not.toHaveBeenCalled();
+    expect(loggerSpy).toHaveBeenCalledWith(
+      expect.stringContaining("untrusted"),
+    );
+  });
+
+  it.each([
+    "https://evil.example.com/x.js",
+    "//evil.example.com/x.js",
+    // An attacker embedding inline JS as a data URL — what the old plugin
+    // would have executed verbatim via script.innerHTML.
+    "data:text/javascript;base64,YWxlcnQoMSk=",
+    "javascript:alert(1)",
+    "./@file/x.js#http://evil.com",
+  ])("refuses to load %s", (url) => {
+    const appendSpy = vi.spyOn(document.head, "append");
+    vi.spyOn(Logger, "error").mockImplementation(() => {});
+
+    expect(loadPanelExtension(url)).toBe(false);
+    expect(appendSpy).not.toHaveBeenCalled();
+  });
+
+  it("appends a <script src> for a trusted virtual file URL", () => {
+    expect(loadPanelExtension("./@file/42-bokeh.js")).toBe(true);
+
+    const script = document.head.querySelector("script");
+    expect(script).not.toBeNull();
+    expect(script?.src).toContain("@file/42-bokeh.js");
+    // Must NOT populate innerHTML — that was the original vulnerability sink.
+    expect(script?.innerHTML).toBe("");
+  });
+});

package/src/plugins/impl/vega/VegaPlugin.tsx

@@ -8,7 +8,6 @@ import type { Data, VegaComponentState } from "./vega-component";
 
 import "./vega.css";
 import React, { type JSX } from "react";
-import { TooltipProvider } from "@/components/ui/tooltip";
 
 const LazyVegaComponent = React.lazy(() => import("./vega-component"));
 
@@ -29,13 +28,11 @@ export class VegaPlugin implements IPlugin<VegaComponentState, Data> {
 
   render(props: IPluginProps<VegaComponentState, Data>): JSX.Element {
     return (
-      <TooltipProvider>
-        <LazyVegaComponent
-          value={props.value}
-          setValue={props.setValue}
-          {...props.data}
-        />
-      </TooltipProvider>
+      <LazyVegaComponent
+        value={props.value}
+        setValue={props.setValue}
+        {...props.data}
+      />
     );
   }
 }

package/src/plugins/layout/NavigationMenuPlugin.tsx

@@ -11,7 +11,7 @@ import {
   NavigationMenuTrigger,
   navigationMenuTriggerStyle,
 } from "@/components/ui/navigation";
-import { Tooltip, TooltipProvider } from "@/components/ui/tooltip";
+import { Tooltip } from "@/components/ui/tooltip";
 import { renderHTML } from "@/plugins/core/RenderHTML";
 import { cn } from "@/utils/cn";
 import { appendQueryParams } from "@/utils/urls";
@@ -67,11 +67,7 @@ export class NavigationMenuPlugin implements IStatelessPlugin<Data> {
   });
 
   render(props: IStatelessPluginProps<Data>): JSX.Element {
-    return (
-      <TooltipProvider>
-        <NavMenuComponent {...props.data} />
-      </TooltipProvider>
-    );
+    return <NavMenuComponent {...props.data} />;
   }
 }
 

package/dist/assets/RenderHTML-CbuarQqA.js

@@ -1 +0,0 @@
-import{s as v}from"./chunk-LvLJmgfZ.js";import{i as j,p as y,u as w}from"./useEvent-D91BmmQi.js";import{t as R}from"./react-Bj1aDYRI.js";import{bn as S,gn as _,ii as c,it as H,m as I,ri as M,vt as N}from"./cells-BqYYXi6G.js";import{t as E}from"./compiler-runtime-B3qBwwSJ.js";import{_ as T}from"./useEventListener-DGjKht0c.js";import{o as z}from"./utils-8btzWeZg.js";import{t as C}from"./jsx-runtime-Blw4afVn.js";import{t as F}from"./tooltip-DmqhBBs6.js";import{t as L}from"./copy-icon-Ci08KCdY.js";import{t as V}from"./usePress-BXMIcLWP.js";import{n as k}from"./useDebounce-LVL1r3-M.js";import{t as q}from"./useRunCells-DFYAOTWd.js";var W=E(),m=v(R(),1),o=v(C(),1);const A=r=>{let t=(0,W.c)(16),e,n,i;t[0]===r?(e=t[1],n=t[2],i=t[3]):({href:n,children:e,...i}=r,t[0]=r,t[1]=e,t[2]=n,t[3]=i);let a=(0,m.useRef)(null),s;t[4]===n?s=t[5]:(s=()=>{let u=new URL(globalThis.location.href);u.hash=n,globalThis.history.pushState({},"",u.toString()),globalThis.dispatchEvent(new HashChangeEvent("hashchange"));let x=n.slice(1),g=document.getElementById(x);g&&g.scrollIntoView({behavior:"smooth",block:"start"})},t[4]=n,t[5]=s);let l=s,f;t[6]===l?f=t[7]:(f={onPress:()=>{l()}},t[6]=l,t[7]=f);let{pressProps:h}=V(f),d;t[8]===l?d=t[9]:(d=u=>{u.preventDefault(),l()},t[8]=l,t[9]=d);let b=d,p;return t[10]!==e||t[11]!==b||t[12]!==n||t[13]!==h||t[14]!==i?(p=(0,o.jsx)("a",{ref:a,href:n,...h,onClick:b,...i,children:e}),t[10]=e,t[11]=b,t[12]=n,t[13]=h,t[14]=i,t[15]=p):p=t[15],p};async function D(r){let t=I().inOrderIds.at(0);if(t)try{let e=await _.request({document:r,cellId:t});if(!e||e.options.length===0)return;let n=r.split(".").pop()??r,i=e.options[0],a=e.options.find(s=>s.name===n)??i;a!=null&&a.completion_info&&j.set(S,{documentation:a.completion_info})}catch(e){T.debug(`Doc lookup failed for "${r}"`,e)}}var O=E();const P=r=>{let t=(0,O.c)(8),{qualifiedName:e,children:n}=r,i;t[0]===e?i=t[1]:(i=()=>{D(e)},t[0]=e,t[1]=i);let a=k(i,100),s;t[2]===a?s=t[3]:(s=()=>a.cancel(),t[2]=a,t[3]=s);let l;return t[4]!==n||t[5]!==a||t[6]!==s?(l=(0,o.jsx)("span",{onMouseEnter:a,onMouseLeave:s,children:n}),t[4]=n,t[5]=a,t[6]=s,t[7]=l):l=t[7],l};var $=y(r=>{let t=r(q),e=r(z);if(t||e)return!1;let n=!0;try{n=H()==="read"}catch{return!0}return!n});function B(){return w($)}var U=E(),Z=r=>{if(r instanceof c.Element&&!/^[A-Za-z][\w-]*$/.test(r.name))return m.createElement(m.Fragment)},G=(r,t)=>{if(t instanceof c.Element&&t.name==="body"){if((0,m.isValidElement)(r)&&"props"in r){let e=r.props.children;return(0,o.jsx)(o.Fragment,{children:e})}return}},J=(r,t)=>{if(t instanceof c.Element&&t.name==="html"){if((0,m.isValidElement)(r)&&"props"in r){let e=r.props.children;return(0,o.jsx)(o.Fragment,{children:e})}return}},K=r=>{if(r instanceof c.Element&&r.attribs&&r.name==="iframe"){let t=document.createElement("iframe");return Object.entries(r.attribs).forEach(([e,n])=>{e.startsWith('"')&&e.endsWith('"')&&(e=e.slice(1,-1)),t.setAttribute(e,n)}),(0,o.jsx)("div",{dangerouslySetInnerHTML:{__html:t.outerHTML}})}},Q=r=>{if(r instanceof c.Element&&r.name==="script"){let t=r.attribs.src;if(!t)return;if(!document.querySelector(`script[src="${t}"]`)){let e=document.createElement("script");e.src=t,document.head.append(e)}return(0,o.jsx)(o.Fragment,{})}},X=(r,t)=>{if(t instanceof c.Element&&t.name==="a"){let e=t.attribs.href;if(e!=null&&e.startsWith("#")&&!e.startsWith("#code/")){let n=null;return(0,m.isValidElement)(r)&&"props"in r&&(n=r.props.children),(0,o.jsx)(A,{href:e,...t.attribs,children:n})}}},Y=(r,t,e)=>{var n,i;if(t instanceof c.Element&&t.name==="div"&&((i=(n=t.attribs)==null?void 0:n.class)!=null&&i.includes("codehilite")))return(0,o.jsx)(rt,{children:r},e)},tt=(r,t)=>{var e;if(t instanceof c.Element&&((e=t.attribs)!=null&&e["data-marimo-doc"])){let n=t.attribs["data-marimo-doc"];return(0,o.jsx)(P,{qualifiedName:n,children:r})}},et=(r,t)=>{var e;if(t instanceof c.Element&&((e=t.attribs)!=null&&e["data-tooltip"])){let n=t.attribs["data-tooltip"];return(0,o.jsx)(F,{content:n,children:r})}},rt=r=>{let t=(0,U.c)(3),{children:e}=r,n=(0,m.useRef)(null),i;t[0]===Symbol.for("react.memo_cache_sentinel")?(i=(0,o.jsx)("div",{className:"absolute top-2 right-2 opacity-0 group-hover:opacity-100 transition-opacity",children:(0,o.jsx)(L,{tooltip:!1,className:"p-1",value:()=>{var l;let s=(l=n.current)==null?void 0:l.firstChild;return s&&s.textContent||""}})}),t[0]=i):i=t[0];let a;return t[1]===e?a=t[2]:(a=(0,o.jsxs)("div",{className:"relative group codehilite-wrapper",ref:n,children:[e,i]}),t[1]=e,t[2]=a),a};const nt=({html:r,additionalReplacements:t=[],alwaysSanitizeHtml:e=!0})=>(0,o.jsx)(it,{html:r,alwaysSanitizeHtml:e,additionalReplacements:t});var it=({html:r,additionalReplacements:t=[],alwaysSanitizeHtml:e})=>{let n=B();return at({html:(0,m.useMemo)(()=>e||n?N(r):r,[r,e,n]),additionalReplacements:t})};function at({html:r,additionalReplacements:t=[]}){let e=[Z,K,Q,...t],n=[Y,X,tt,et,G,J];return M(r,{replace:(i,a)=>{for(let s of e){let l=s(i,a);if(l)return l}return i},transform:(i,a,s)=>{for(let l of n){let f=l(i,a,s);if(f)return f}return i}})}export{nt as t};