Htmlwidget

[gvegayon]

This pull request introduces a new HTML widget integration for interactive GEXF graph visualization using gexfjs, and adds supporting infrastructure to the package for both R and Shiny usage. The main changes include new functions for widget creation and rendering, registration of these functions for export, and addition of all necessary JavaScript, CSS, and configuration files for the widget.

New HTML widget and Shiny integration:

• Added new R functions gexfjs, gexfjsOutput, and renderGexfjs to create and render an interactive GEXF graph widget, including Shiny support. Also added analogous test widget functions (test1, test1Output, renderTest1). (R/plot.R, R/plot.RR226-R301)
• Registered the new widget functions for export in the package namespace. (NAMESPACE, NAMESPACER17-R30)
• Added htmlwidgets as an imported package in DESCRIPTION. (DESCRIPTION, DESCRIPTIONL24-R25)

Widget implementation and dependencies:

• Added the widget implementation JavaScript file (inst/htmlwidgets/gexfjs.js), widget configuration YAML (inst/htmlwidgets/gexfjs.yaml), and supporting setup, config, and style files. (inst/htmlwidgets/gexfjs.js, [1]; inst/htmlwidgets/gexfjs.yaml, [2]; inst/htmlwidgets/lib/gexfjs/setup.js, [3]; inst/htmlwidgets/lib/gexfjs/config.js, [4]; inst/htmlwidgets/lib/gexfjs/styles/gexfjs.css, [5]

Supporting project metadata:

• Added project metadata file for the widget's JavaScript library. (inst/htmlwidgets/lib/gexfjs/.project, inst/htmlwidgets/lib/gexfjs/.projectR1-R17)

[gvegayon]

OK, @copilot, I need you to ensure this branch is up to date with master. While you are at it, give it a pass to assess whether things are working as expected.

[Copilot]

@gvegayon I've opened a new pull request, #47, to work on those changes. Once the pull request is ready, I'll request review from you.

[gvegayon]

@copilot, this PR has too many changes. The idea of the PR was to add the functionality to call plot() within rmarkdown, quarto, or shiny. Let's see what things that are fundamental for that funciontality can be preserved and discard the other changes.

[gvegayon]

This file needs to be removed. Also, we need to ensure this file is not added to git again

[gvegayon]

What we were doing before seem smarter, why change it?

[Copilot]

@gvegayon I've opened a new pull request, #50, to work on those changes. Once the pull request is ready, I'll request review from you.

[github-actions]

Thank you for your contribution @gvegayon 🚀! The pkgdown site preview is ready for review 👉 Download here 👈!
_{(The artifact expires on 2026-03-01T20:51:53Z. You can re-generate it by re-running the workflow here.)}

[Copilot]

Pull request overview

This pull request adds HTMLwidget support to the rgexf package, enabling interactive visualization of GEXF graph files in R using the gexf-js JavaScript library. The implementation allows users to embed graph visualizations in R Markdown documents, Shiny applications, and HTML outputs.

• Adds gexfjs() function for creating htmlwidget-based graph visualizations
• Includes helper functions for Shiny integration (gexfjsOutput(), renderGexfjs())
• Adds extensive gexf-js JavaScript library files and dependencies
• Includes test/example implementations (test1() function and playground files)

Reviewed changes

Copilot reviewed 18 out of 53 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
R/plot.R	Adds new htmlwidget functions: gexfjs(), test1() and their Shiny wrappers
DESCRIPTION	Adds htmlwidgets package dependency
NAMESPACE	Exports new htmlwidget-related functions
.gitignore	Updates ignore patterns with proper wildcard syntax
inst/htmlwidgets/gexfjs.js	Main JavaScript widget binding for gexf-js
inst/htmlwidgets/gexfjs.yaml	Dependency configuration for the htmlwidget
inst/htmlwidgets/test1.js	Test widget implementation
inst/htmlwidgets/lib/gexfjs/*	Complete gexf-js library files (JS, CSS, images)
playground/*.html, *.rmd, *.cpp	Example/test files for development

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Typo in comment: "contatenating" should be "concatenating".

[Copilot]

Missing semicolon after variable declaration. While JavaScript allows this, adding it ensures consistency with the coding style used elsewhere in the file (e.g., line 11).

[Copilot]

Typo in comment: "onlyone" should be "only one" (two words).

Suggested change

	gexf = "lib/gexf-1/lesmiserables.gexf" , # This is the onlyone that is working... for now
	gexf = "lib/gexf-1/lesmiserables.gexf" , # This is the only one that is working... for now

[Copilot]

Typo in comment: "simple3" should be "simple".

[Copilot]

Typo in text content: "Yuo" should be "You".

[Copilot]

Unused variable data.

Suggested change

var data = parser.parseFromString(x.data, "application/xml");

[Copilot]

Unused variable data.

[Copilot]

Avoid using functions that evaluate strings as code.

Suggested change

	document.write(unescape("%3Cscript type='text/javascript' src='js/jquery-2.0.2.min.js'%3E%3C/script%3E"));
	var script = document.createElement('script');
	script.type = 'text/javascript';
	script.src = 'js/jquery-2.0.2.min.js';
	document.head.appendChild(script);

[Copilot]

readLines(gexf) will read whatever path/URL is provided and the result is placed into x$data, which is then sent to the browser via the htmlwidget. In a Shiny context, if an attacker can control gexf, they can cause the server to read arbitrary local files (e.g., /etc/passwd) and exfiltrate the contents to the client. Restrict gexf to a known safe directory (use normalizePath and a base-dir check), reject absolute/parent (..) paths, and avoid echoing raw file contents back to the client (drop x$data or send only parsed/sanitized fields). For example:

base <- system.file("gexf-graphs", package = "rgexf")
path <- normalizePath(gexf, winslash = "/", mustWork = TRUE)
stopifnot(startsWith(path, normalizePath(base, winslash = "/")))
# Prefer not to include raw file content in x$data
x <- list(path = path)

Suggested change

	# read the gexf file
	data <- paste(tryCatch(readLines(gexf), error = function(e) "e"), collapse="\n")
	# # create a list that contains the settings
	# settings <- list(
	# drawEdges = drawEdges,
	# drawNodes = drawNodes
	# )
	# pass the data and settings using 'x'
	x <- list(
	path = gexf,
	data = data#,
	# Restrict gexf to a known safe directory
	base <- system.file("lib/gexf-1", package = "rgexf")
	path <- normalizePath(gexf, winslash = "/", mustWork = TRUE)
	if (!startsWith(path, normalizePath(base, winslash = "/"))) {
	stop("gexf file must be within the package's lib/gexf-1 directory.")
	}
	# pass only the safe path using 'x'
	x <- list(
	path = path

[Copilot]

Using readLines(gexf) without validating the scheme allows remote URLs (e.g., http:// or https://) to be fetched by the server, enabling SSRF. An attacker controlling gexf in a Shiny app could force requests to internal services (e.g., http://169.254.169.254/ or http://localhost:...) and the response would be embedded in the widget. Disallow URL schemes entirely or enforce a strict allowlist (and block loopback/link-local ranges), e.g.:

if (grepl("^[a-zA-Z]+://", gexf)) stop("URLs are not allowed")
# or allowlist only file paths under a safe base dir as shown above

Suggested change

	# Disallow URL schemes to prevent SSRF
	if (grepl("^[a-zA-Z]+://", gexf)) stop("URLs are not allowed for 'gexf' argument")