NiceGUI

3.10.0 · active · verified Sun Apr 12

NiceGUI is an open-source Python library for creating web-based user interfaces. It follows a backend-first philosophy, handling web development details like HTML, CSS, and JavaScript, allowing developers to focus on Python code. It's actively maintained with frequent releases, providing a wide range of UI elements, data binding, and the ability to run as a web server or in a native desktop window. The current version is 3.10.0.

Warnings

breaking Since v3.8.0, `run_method()` and `run_*_method()` no longer accept arbitrary JavaScript expressions as method names. Only actual method names are supported for security reasons.
Fix: Rewrite `run_method()` calls to use explicit method names instead of inline JavaScript functions.
breaking In v3.0.0, the `ui.html` element now requires a `sanitize` argument to prevent Cross-Site Scripting (XSS) attacks. `ui.chat_message` also has this argument, especially if `text_html=True`.
Fix: When using `ui.html`, explicitly set `sanitize=True` (or provide a custom sanitizer function) or `sanitize=False` if you are certain the content is safe.
gotcha Several security vulnerabilities related to Cross-Site Scripting (XSS) via unsanitized user input (e.g., in `ui.markdown()`, user-defined links, and sub-pages) have been addressed across multiple versions (v3.5.0, v3.7.0). Always sanitize or validate any user-provided content before rendering it.
Fix: Keep NiceGUI updated to the latest version. Always use the `sanitize` argument where available for user-generated content, or implement your own robust sanitization for all user inputs displayed in the UI.
gotcha Vulnerabilities related to file handling (e.g., filename sanitization bypass in `ui.upload` v3.10.0, path traversal via `FileUpload.name` v3.7.0, and arbitrary file access via `app.add_media_files` v3.4.0) have been reported. Be cautious when exposing uploaded or local files.
Fix: Ensure NiceGUI is up-to-date. Carefully review security implications when using file upload features (`ui.upload`) or exposing local directories (`app.add_media_files`, `add_static_files`). Avoid putting security-critical files in exposed directories.
breaking With v3.0.0, the `ui.element.tailwind` API was removed. Upgrading to Tailwind 4 also introduced some breaking changes in layout and styling.
Fix: Migrate from the deprecated `ui.element.tailwind` API. Review your UI layouts after upgrading, especially for styling with Tailwind CSS, as line spacing and borders might differ. Use `element.classes()` for Tailwind CSS utility classes.
breaking In NiceGUI 3.0, you must directly modify `table.rows`, `table.columns`, or `aggrid.options` instead of using methods like `table.add_rows()` to update table data.
Fix: Adjust code to directly manipulate the data properties of table elements. `table.update()` or `aggrid.update()` are not necessary after direct property modification.
gotcha Memory exhaustion via media streaming routes (v3.9.0) was a security vulnerability. Ensure your application handles media streaming efficiently and is updated to prevent such resource attacks.
Fix: Upgrade to NiceGUI v3.9.0 or later to address the memory exhaustion vulnerability.

Install

pip install nicegui Install with pip

Imports

ui
```
from nicegui import ui
```
The primary object for building UI elements and running the application.
app
```
from nicegui import ui, app
```
The 'app' object is used for advanced features like custom FastAPI routes, sub-pages, or running NiceGUI within an existing FastAPI application.

Quickstart

This minimal example creates a web page with a 'Hello NiceGUI!' label and a button that displays a notification when clicked. Running this script will open the application in your browser.

from nicegui import ui

ui.label('Hello NiceGUI!')
ui.button('Click me!', on_click=lambda: ui.notify('Hello from NiceGUI!'))
ui.run()

view raw JSON →