Saving Shiny Rendered HTML

[Ramnath Vaidyanathan]

My question is about how to save shiny rendered html pages. I am not sure this is the right forum to put this question, but I still wanted to try. 

To give you some context, I just added a Shiny based app to rCharts, adapting the excellent Shiny app put together by @yihui for knitr. It allows users to embed d3js charts in an R Notebook. Here is a screencast for those interested, http://youtu.be/MqMkCk-nc6k,  but if you just want to see it in action, type this from your R console.

devtools::install_github('rCharts', 'ramnathv')

rCharts::open_notebook()

Now, I want to add a feature that allows a user to click on a publish button, that automatically publishes the source Rmd (from the text area) and the shiny rendered HTML to a github repo. I can generate static HTML independent of Shiny using Slidify, but I thought it would simplify the workflow considerably if a user can tweak the source using the notebook, and when happy with the end-product can hit publish.

This might be a question for the javascript community, but if any of you have thoughts on how to do this, I would appreciate it.

Best,

Ramnath

[Joe Cheng]

The knitr Shiny app by Yihui was really cool but also a huge security hole--I hope you are only recommending it for local use and only when properly protected by a firewall!

--
You received this message because you are subscribed to the Google Groups "Shiny - Web Framework for R" group.
To unsubscribe from this group and stop receiving emails from it, send an email to shiny-discus...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Ramnath Vaidyanathan]

Yes. I am only recommending it for local use. Can you elaborate on the firewall issue? How does it affect local use?

I had an idea for using the app only as a viewer, when online. In other words, the online version would load both *.Rmd and *.html in side-by-side windows just like Yihui's app, and will have all the features enabled, except that the knit button will be disabled. So a user can only view the source and the output online, NOT be able to run any code.

In addition, a download button on the top (similar to nbViewer) would allow users to download the Rmd, and a utility function will allow a user to recreate it locally using Shiny. I believe, this would entail the same risks as running runGitHub or runApp or sourcing any external script. I understand that the HTML can have malicious code as well, but I believe that possibility exists on any website that a user visits.

Let me know what you think, and if you have any ideas/suggestions. 

Best,

Ramnath

[Joe Cheng]

With local use and no firewall, anyone who can see your machine could point their browser to http://your-hostname:8100 and get access to the app.

Your viewer would work, just make sure that you don't merely disable the UI, but also conditionalize the server.R code so that the knitting can never happen. If you only disable the UI, it would still be possible for an attacker to make JavaScript calls that would simulate the clicking of the knit button or whatever. If you end up building this I can review the code for you.

[Ramnath Vaidyanathan]

Let me understand this correctly. When I run any Shiny app on localhost:8100, it can be accessed by others? What steps can I take to ensure that this does not happen? I have been running all kinds of localhost applications, without being aware of this problem.

About the viewer, yes, that is what I had in mind. I will get rid of the server.R  code that does the knitting, completely, so that there is no way anyone can knit the Rmd file. All it would do is to load the Rmd file on the left pane and the HTML on the right pane, with links to download the source Rmd and the HTML. A utility function would then allow a user to load the Rmd file into a local shiny instance, and modify it and watch the HTML change.

Let me put a rough draft of this together and send you the code, so that you can review it and give me some feedback. 

Best,

Ramnath

[Ramnath Vaidyanathan]

I am in the process of building the viewer. While building it, I realized that I can do it purely in Javascript, since there is no necessity for interaction with R, as we are going to be disabling any ability to run arbitrary code. I will put a working prototype on github soon, and can then make the call if there are advantages to hosting it on a Shiny server.

Ramnath

[Ramnath Vaidyanathan]

Here is a short post and video on proof-of-concept for an online Rmd viewer plus an offline Shiny App that allows knitting.

http://pagist.github.io/?5529809

I hope to clean up the code soon and wrap this up into an R package.

Best,
Ramnath

[Xavier de Pedro]

Dear Ramnath and Joe:

I'm not sure whether I should start a new thread or just reply here... for the sake of simplicity, I reply here, since it's somewhat related.

First of all: I'm a newbie using Shiny, and it was yesterday when I installed shiny locally for the first time, and today when I run my first example, etc. (even if I've been reading about Shiny since 6 months ago, at least! :-))

One of my first goals while learning Shiny was to call and display a simple shiny app on a server, in a similar way to what I managed to do with your package rNVD3 ( http://ramnathv.github.io/rNVD3/ ).

In that case with rNVD3, I followed your "Example 2: Stacked bar Plot", but saving the html to disk (with p1$save('foo.html') instead of p1$printChart('foo.html') ). And then, loading it in a wiki page  with an iframe to display that html saved on disk. A working proof-of-concept reusing your rNVD3 package:
http://r-es.org/r_test8

The Web platform to manage the whole thing is called Tiki ( https://tiki.org ), and the communication with R is handled by PluginR ( https://doc.tiki.org/PluginR )

Then, I wanted to do achieve something similar with a Shiny app. And since you have also an equivalent example in your page http://ramnathv.github.io/rNVD3/ ("Using it with Shiny"), then I wanted to follow with your example.

But, I haven't found a function in shiny to save to disk the whole html page of the app produced.

Is this planned in the development roadmap of Shiny?
Am I trying to follow a wrong path or missing something important here? (that might also be the case, since I'm fairly newbie with all this!)

Any hints on my goal to display shiny apps from (wiki) html pages controlled by something else than shiny server (Tiki, in this case)?

Xavier


P.S: By the way, nice video showing your proof-of-concept, Ramnath! I'm very impressed also with your work! (as well as the work with Shiny, of course!)

[Ramnath Vaidyanathan]

First off, nice work embedding it in a Wiki. A key objective of rCharts is to make it easy to share charts and this is a great way to do it.

Coming to Shiny apps, they need to be run off a Shiny server. So, one way to embed a shiny app is to put it in an iframe. For example, you can include this app http://glimmer.rstudio.com/ramnathv/strikeouts/ by inserting it into an iframe tag. Shiny apps cannot be saved as standalone HTMLs. 

If you are running a Shiny server on Tiki, then it should be possible to copy the code in the app directory and directly render the app on Tiki.

Hope this is useful.

Cheers,

Ramnath

[Xavier de Pedro]

Thanks for your kind words.

Well, yes, I'm running (I think) shiny-server in the same server where Tiki is (or I can get it installed). My question is how to easily "save" the html (or the ui.R and server.R) from the r script itself, so that I can have users in wiki platforms collaboratively create and edit their shiny apps.

About security (obvious concern inthis context, of course), PluginR checks for "potentially dangerous" (server-wise) commands, and in case any of those are found in the r script in the wiki page, the r script (plugin R call) needs to be validated by an admin of the Tiki installation. And admins permissions in the Tiki should be shared only with people that you would share you ssh login credentials to your server.

So, any equivalent p1$save for a shiny app, that can save the ui.R and server.R server-side wherever you tell them to be stored (after admin validation)?

Is it clearer now my question?

Xavier

[Joe Cheng]

Creating, editing, and saving ui.R and server.R files does not involve Shiny itself--these are merely inputs to the Shiny app. You could handle all of that in PHP.

Does PluginR allow the use of arbitrary packages? (From a security perspective I hope the answer is no!)

Speaking of security, another reason this might not be a great idea is because users can then easily write JavaScript snippets that can be served up on your domain, which would allow them to steal logon credentials (see XSS). In order to avoid this you would need to ensure that your Shiny apps are served from a different domain than the rest of the wiki.

[Xavier de Pedro]

Hi Joe:

On 10/05/13 19:11, Joe Cheng wrote:

Creating, editing, and saving ui.R and server.R files does not involve Shiny itself--these are merely inputs to the Shiny app. You could handle all of that in PHP.

Ok, thanks for the clarifications. I slowly understanding better how to use Shiny.

Does PluginR allow the use of arbitrary packages? (From a security perspective I hope the answer is no!)

Well, in fact, the answer is yes. There is a list of commands which  are stopped until an admin validates the call, but all the other R commands are allowed to the users of the Tiki installation.
This way to aim to combine some more level of security in collaborative platforms in which you can run R scripts (similarly to what was implemented in the mediawiki r extension, etc).

Potentially dangerous commands catched by PluginR:
http://sourceforge.net/p/tikiwiki/code/HEAD/tree/mods/trunk/wiki-plugins/r/lib/wiki-plugins/wikiplugin_rr.php

lines 662 - 702

If you know of any other commands potentially dangerous (Server-wise), I'll be glad to add them to the ones that require admin validation.

Speaking of security, another reason this might not be a great idea is because users can then easily write JavaScript snippets that can be served up on your domain, which would allow them to steal logon credentials (see XSS). In order to avoid this you would need to ensure that your Shiny apps are served from a different domain than the rest of the wiki.

Aha, good point. However, with the security model in Tiki, any javascript snippet would need to be validated by an admin, so that, as far as I understand, this is not a special security concern within Tiki.

If any benevolent hacker can make a proof of concept of exploit of Tiki & PluginR, you can try the community site for R users in Spain:
https://r-es.org

It's in Spanish, though. However, once registered and logged in, anyone can switch the language of the interface for his/her user to English, for instance.

Our basic idea, is that Shiny is excellent to produce standalone web interfaces for R apps, with wonderful "reactivity". While Tiki is best suited to deploy full Wiki/CMS/Groupware sites for documentation, blogging, discussing, with support for R syntax highlighting, etc. and while still allowing to create web 2.0 interfaces for R scripts (even if without the reactive model of Shiny).

So I will still explore someway to get shiny reactive interfaces through wiki pages in Tiki.

Thanks for your feedback.

Xavier

[Joe]

Hey Xavier,

Were you able to find the location of html files generated by shiny?

Thanks, 
Joe