Comfy-Org/ComfyUI_frontend
1
0
Fork 0
mirror of https://github.com/Comfy-Org/ComfyUI_frontend.git synced 2026-02-19 22:34:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
cc2c10745b4c2673d963ead44e9f9e8fc679ee32
ComfyUI_frontend/src/lib/litegraph
History
Alexander Brown 2ee0a1337c fix: prevent XSS vulnerability in context menu labels (#8887) 
Replace innerHTML with textContent when setting context menu item labels
to prevent XSS attacks via malicious filenames. This fixes a security
vulnerability where filenames like "<img src=x onerror=alert()>" could
execute arbitrary JavaScript when displayed in dropdowns.

https://claude.ai/code/session_01LALt1HEgGvpWD7hhqcp2Gu

## Summary

<!-- One sentence describing what changed and why. -->

## Changes

- **What**: <!-- Core functionality added/modified -->
- **Breaking**: <!-- Any breaking changes (if none, remove this line)
-->
- **Dependencies**: <!-- New dependencies (if none, remove this line)
-->

## Review Focus

<!-- Critical design decisions or edge cases that need attention -->

<!-- If this PR fixes an issue, uncomment and update the line below -->
<!-- Fixes #ISSUE_NUMBER -->

## Screenshots (if applicable)

<!-- Add screenshots or video recording to help explain your changes -->

┆Issue is synchronized with this [Notion
page](https://www.notion.so/PR-8887-fix-prevent-XSS-vulnerability-in-context-menu-labels-3086d73d365081ccbe3cdb35cd7e5cb1)
by [Unito](https://www.unito.io)

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions <github-actions@github.com>
2026-02-16 15:31:00 -08:00
..
imgs
Add 'src/lib/litegraph/' from commit '1b58bf4966e9cdaa04bfaa40f5650b6c6680ab97'
2025-08-03 14:55:05 -04:00
public/css
Chore: Oxfmt formatting pass (#8341)
2026-01-27 17:59:19 -08:00
src
fix: prevent XSS vulnerability in context menu labels (#8887)
2026-02-16 15:31:00 -08:00
AGENTS.md
docs: audit and update litegraph documentation (#8588)
2026-02-03 15:07:43 -08:00
API.md
docs: audit and update litegraph documentation (#8588)
2026-02-03 15:07:43 -08:00
CLAUDE.md
Chore: Oxfmt formatting pass (#8341)
2026-01-27 17:59:19 -08:00
LICENSE
Add 'src/lib/litegraph/' from commit '1b58bf4966e9cdaa04bfaa40f5650b6c6680ab97'
2025-08-03 14:55:05 -04:00
README.md
docs: audit and update litegraph documentation (#8588)
2026-02-03 15:07:43 -08:00

README.md

@ComfyOrg/litegraph

This is the litegraph version used in ComfyUI_frontend.

It is a fork of the original litegraph.js. Some APIs may by unchanged, however it is largely incompatible with the original.

Some early highlights:

Usage

This library is included as a git subtree in the ComfyUI frontend project at src/lib/litegraph.

litegraph.js

A TypeScript library to create graphs in the browser similar to Unreal Blueprints.

Description of the original litegraph.js

A library in Javascript to create graphs in the browser similar to Unreal Blueprints. Nodes can be programmed easily and it includes an editor to construct and tests the graphs.

It can be integrated easily in any existing web applications and graphs can be run without the need of the editor.

Node Graph

Features

  • Renders on Canvas2D (zoom in/out and panning, easy to render complex interfaces, can be used inside a WebGLTexture)
  • Easy to use editor (searchbox, keyboard shortcuts, multiple selection, context menu, ...)
  • Optimized to support hundreds of nodes per graph (on editor but also on execution)
  • Customizable theme (colors, shapes, background)
  • Callbacks to personalize every action/drawing/event of nodes
  • Graphs can be executed in NodeJS
  • Highly customizable nodes (color, shape, widgets, custom rendering)
  • Easy to integrate in any JS application (one single file, no dependencies)
  • Typescript support

Integration

This library is integrated as a git subtree in the ComfyUI frontend project. To use it in your code:

import { LGraph, LGraphNode, LiteGraph } from '@/lib/litegraph'

How to code a new Node type

Here is an example of how to build a node that sums two inputs:

import { LiteGraph, LGraphNode } from './litegraph'

class MyAddNode extends LGraphNode {
  // Name to show
  title = 'Sum'

  constructor() {
    this.addInput('A', 'number')
    this.addInput('B', 'number')
    this.addOutput('A+B', 'number')
    this.properties.precision = 1
  }

  // Function to call when the node is executed
  onExecute() {
    var A = this.getInputData(0)
    if (A === undefined) A = 0
    var B = this.getInputData(1)
    if (B === undefined) B = 0
    this.setOutputData(0, A + B)
  }
}

// Register the node type
LiteGraph.registerNodeType('basic/sum', MyAddNode)

Server side

It also works server-side using NodeJS although some nodes do not work in server (audio, graphics, input, etc).

import { LiteGraph, LGraph } from './litegraph.js'

const graph = new LGraph()

const firstNode = LiteGraph.createNode('basic/sum')
graph.add(firstNode)

const secondNode = LiteGraph.createNode('basic/sum')
graph.add(secondNode)

firstNode.connect(0, secondNode, 1)

graph.start()

Projects using it

ComfyUI

ComfyUI default workflow

Projects using the original litegraph.js

Click to expand

webglstudio.org

WebGLStudio

MOI Elephant

MOI Elephant

Mynodes

MyNodes

Feedback

Please open an issue on the GitHub repo.

Development

Litegraph has no runtime dependencies. The build tooling has been tested on Node.JS 20.18.x

Releasing

This library is embedded via git subtree in ComfyUI_frontend. Releases are managed through the parent repository's release process.

Contributors

You can find the current list of contributors on GitHub.

Contributors (pre-fork)

  • atlasan
  • kriffe
  • rappestad
  • InventivetalentDev
  • NateScarlet
  • coderofsalvation
  • ilyabesk
  • gausszhou