{"id":4649,"library":"nicegui","title":"NiceGUI","description":"NiceGUI is an open-source Python library for creating web-based user interfaces. It follows a backend-first philosophy, handling web development details like HTML, CSS, and JavaScript, allowing developers to focus on Python code. It's actively maintained with frequent releases, providing a wide range of UI elements, data binding, and the ability to run as a web server or in a native desktop window. The current version is 3.10.0.","status":"active","version":"3.10.0","language":"en","source_language":"en","source_url":"https://github.com/zauberzeug/nicegui","tags":["web-framework","gui","frontend","python","fastapi","quasar"],"install":[{"cmd":"pip install nicegui","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Requires Python 3.10 or newer, but less than Python 4.","package":"python","optional":false}],"imports":[{"note":"The primary object for building UI elements and running the application.","symbol":"ui","correct":"from nicegui import ui"},{"note":"The 'app' object is used for advanced features like custom FastAPI routes, sub-pages, or running NiceGUI within an existing FastAPI application.","symbol":"app","correct":"from nicegui import ui, app"}],"quickstart":{"code":"from nicegui import ui\n\nui.label('Hello NiceGUI!')\nui.button('Click me!', on_click=lambda: ui.notify('Hello from NiceGUI!'))\nui.run()","lang":"python","description":"This minimal example creates a web page with a 'Hello NiceGUI!' label and a button that displays a notification when clicked. Running this script will open the application in your browser."},"warnings":[{"fix":"Rewrite `run_method()` calls to use explicit method names instead of inline JavaScript functions.","message":"Since v3.8.0, `run_method()` and `run_*_method()` no longer accept arbitrary JavaScript expressions as method names. Only actual method names are supported for security reasons.","severity":"breaking","affected_versions":">=3.8.0"},{"fix":"When using `ui.html`, explicitly set `sanitize=True` (or provide a custom sanitizer function) or `sanitize=False` if you are certain the content is safe.","message":"In v3.0.0, the `ui.html` element now requires a `sanitize` argument to prevent Cross-Site Scripting (XSS) attacks. `ui.chat_message` also has this argument, especially if `text_html=True`.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"Keep NiceGUI updated to the latest version. Always use the `sanitize` argument where available for user-generated content, or implement your own robust sanitization for all user inputs displayed in the UI.","message":"Several security vulnerabilities related to Cross-Site Scripting (XSS) via unsanitized user input (e.g., in `ui.markdown()`, user-defined links, and sub-pages) have been addressed across multiple versions (v3.5.0, v3.7.0). Always sanitize or validate any user-provided content before rendering it.","severity":"gotcha","affected_versions":"All versions, especially prior to v3.7.0"},{"fix":"Ensure NiceGUI is up-to-date. Carefully review security implications when using file upload features (`ui.upload`) or exposing local directories (`app.add_media_files`, `add_static_files`). Avoid putting security-critical files in exposed directories.","message":"Vulnerabilities related to file handling (e.g., filename sanitization bypass in `ui.upload` v3.10.0, path traversal via `FileUpload.name` v3.7.0, and arbitrary file access via `app.add_media_files` v3.4.0) have been reported. Be cautious when exposing uploaded or local files.","severity":"gotcha","affected_versions":"All versions, especially prior to v3.10.0"},{"fix":"Migrate from the deprecated `ui.element.tailwind` API. Review your UI layouts after upgrading, especially for styling with Tailwind CSS, as line spacing and borders might differ. Use `element.classes()` for Tailwind CSS utility classes.","message":"With v3.0.0, the `ui.element.tailwind` API was removed. Upgrading to Tailwind 4 also introduced some breaking changes in layout and styling.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"Adjust code to directly manipulate the data properties of table elements. `table.update()` or `aggrid.update()` are not necessary after direct property modification.","message":"In NiceGUI 3.0, you must directly modify `table.rows`, `table.columns`, or `aggrid.options` instead of using methods like `table.add_rows()` to update table data.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"Upgrade to NiceGUI v3.9.0 or later to address the memory exhaustion vulnerability.","message":"Memory exhaustion via media streaming routes (v3.9.0) was a security vulnerability. Ensure your application handles media streaming efficiently and is updated to prevent such resource attacks.","severity":"gotcha","affected_versions":"<3.9.0"}],"env_vars":null,"last_verified":"2026-04-12T00:00:00.000Z","next_check":"2026-07-11T00:00:00.000Z"}