NiceGUI: Web-based user interfaces with Python. The nice way.

Security

• ⚠️ Prevent XSS via unsanitized method names in run_method() (GHSA-78qv-3mpx-9cqq by @anuraagbaishya, @evnchn, @falkoschindler)

  Breaking change: For security reasons, run_method() and run_*_method() no longer accept arbitrary JavaScript expressions as method names. Only actual method names are supported now. If you previously passed JS functions like

  row = await grid.run_grid_method('(g) => g.getDisplayedRowAtIndex(0).data')
  

  use

  row = await run_javascript(f'return getElement({grid.id}).api.getDisplayedRowAtIndex(0).data')
  

  instead.

New features and enhancements

• Preserve cursor position when calling ui.codemirror.set_value (#5775 by @falkoschindler, @evnchn)
• Wake outbox loop on stop() to avoid ~1s shutdown delay (#5804, #5805 by @Denubis, @evnchn, @falkoschindler)
• Prevent prune_user_storage crash when UI elements are created before ui.run_with() (#5480, #5768 by @TulyOpt, @Phloog, @jammerhund, @evnchn, @falkoschindler)
• Expose ui.aggrid.VERSION constant for AG Grid version reference (#5726, #5727 by @taschini, @evnchn, @falkoschindler)

Bugfixes

• Guard innerHTML writes in ui.html, ui.markdown and ui.interactive_image to avoid server-side updates overwriting client-side DOM modifications (#5749, #5761, #5816, #5821, #5823, #5826 by @Denubis, @phifuh, @evnchn, @falkoschindler)
• Fix ui.echart zoom reset on data update by using getOption() API (#5819, #5822 by @rtrrtr, @falkoschindler, @evnchn)
• Fix ui.log background color being tinted by inner scroll-area element (#5828, #5831 by @rolfn, @falkoschindler, @evnchn)
• Cancel connection-wait task when page coroutine completes first to prevent task leak (#5803, #5806 by @Denubis, @evnchn, @falkoschindler)
• Fix jumpy ui.table fullscreen toggle with smooth scrolling enabled (#5789 by @falkoschindler, @evnchn)
• Guard against missing element in beforeUnmount hooks during @ui.refreshable rebuild (#5765, #5766 by @evnchn, @falkoschindler)
• Fix Leaflet Draw circle resize broken by ES module strict mode (#5751, #5756 by @MicaelJarniac, @evnchn, @falkoschindler)
• Exclude Python prefix directory from reload file watcher to prevent spurious reloads (#5750, #5780 by @phifuh, @evnchn)
• Fix WebSocket URL missing host on HTTPS due to JS operator precedence (#5734 by @evnchn)
• Fix race condition: use static DOMPurify import to avoid mid-module yield (#5732, #5799 by @evnchn, @codingpaula, @rodja, @falkoschindler)

Documentation

• Add security best practices section (#5736 by @evnchn, @falkoschindler)
• Add a "Reaktiv Order Calculator" example (#4758, #5783, #5812 by @FabianGoessling, @buiapp, @evnchn, @buiapp, @falkoschindler)
• Add a "Device Control" example with events and logging (#5201, #5737 by @weinibuliu, @rodja, @eddie3ruff, @evnchn, @falkoschindler)
• Add AI co-authorship attribution guidance to CONTRIBUTING.md (#5758 by @evnchn, @falkoschindler)
• Upgrade the "SQLite Database" example to Tortoise ORM 1.0.0 (#5754 by @falkoschindler)
• Improve Plausible's SPA compatibility for website analytics (#5830 by @evnchn, @rodja)
• Make first demo always load immediately for better SEO (#5793, #5800 by @evnchn, @falkoschindler)
• Fix Googlebot homepage screenshot with unbounded h-screen (#5792 by @evnchn)
• Select search text when reopening search dialog (#5744, #5779 by @Aleborg-Finansforbundet, @marcrichard22, @evnchn, @falkoschindler)
• Fix sponsor button border styling with dark mode support (#5778 by @evnchn)
• Use static URL for sponsor images instead of local path (#5733 by @evnchn)

Testing

• Reuse Chrome driver across screen tests for faster execution (#5729 by @evnchn, @falkoschindler)
• Add support for typing numbers in UserInteraction (#5771, #5772 by @atollk, @falkoschindler, @evnchn)
• Reset _page_exception_handler in App.reset() for test isolation (#5809 by @evnchn)
• Fix flaky page test (#5818 by @falkoschindler, @evnchn)

Dependencies

• Update bundled Google Fonts: Material Symbols and Roboto v50 (#5743, #5762 by @VerteinPL, @evnchn, @falkoschindler)
• Bump Mermaid to 11.12.2 (#5755 by @henriknoren, @falkoschindler, @evnchn)

Infrastructure

• Add Copilot coding agent setup (#5770 by @evnchn, @falkoschindler)
• Remove nanasess/setup-chromedriver from CI in favor of runner's preinstalled Chrome (#5740 by @evnchn)
• Add GitHub CLI and pre-commit hooks to devcontainer (#5741 by @evnchn, @falkoschindler)
• Add CLAUDE.md with native @AGENTS.md import (#5730 by @rodja, @evnchn)

Special thanks to our top sponsors Lechler GmbH and TestMu AI ✨

and all our other sponsors and contributors for supporting this project!

🙏 Want to support this project? Check out our GitHub Sponsors page to help us keep building amazing features!