v1.0.16

v1.0.16

Inline Visualizer v1.5.0

Added

• HTML download button — small download icon in the top-right corner of every visualization. Click to save the visualization as a self-contained HTML file that can be opened in any browser and printed to PDF. The download button is automatically removed from the saved file for a clean output.
• Localized download tooltip — detected via Open WebUI's locale settings using __event_call__ execute(). Falls back to browser language for standalone HTML files. Supports 45 languages.
• Print-friendly exported HTML — downloaded files include @media print styles and a beforeprint JS handler that scales Chart.js canvases to fit the page width. Works in both portrait and landscape without manual zoom adjustment.
• data-no-stagger opt-out — add data-no-stagger to any <svg> element to disable the automatic axis-label overlap fix for that diagram.
• <title> tag — rendered documents now include a <title> based on the visualization title, giving downloaded files meaningful browser tab names and default filenames.

Changed

• render_visualization is now async — uses __event_call__ to detect the user's UI language before building the HTML. Per Open WebUI best practices for tools.
• Tightened security-level documentation — developer reference, class docstring, and valve description now accurately state that scripts are always allowed (required for Chart.js/D3), strict mode blocks outbound fetch/XHR (not all script execution), and URL parameter stripping is query-only hygiene, not a hard exfiltration control.
• _sanitize_content hardened — wrapper tags (<!DOCTYPE>, <html>, <head>, <body>, <meta>) are now only stripped at document start/end boundaries, not globally. Identical tokens inside JS strings or template literals are preserved.

Fixed

• iOS download handling — blob downloads on iOS use setTimeout(0) deferral with window.onerror and unhandledrejection suppression for the "Load failed" TypeError. target="_blank" is never set on iOS to prevent PWA navigation lock.
• safe_lang locale parsing — zh-CN now correctly resolves to zh instead of zhcn by splitting on - before stripping non-alpha characters.
• Filename length cap — download filenames are capped at 200 characters to stay within the Windows 255-char filesystem limit.
• JS syntax error from \n in Python string — '<!DOCTYPE html>\n' in a Python triple-quoted string was output as a literal newline inside a JS single-quoted string, causing a SyntaxError that broke the entire script block.

v1.0.15

v1.0.15

Inline Visualizer v1.4.3

Added

• Added a MutationObserver (childList + subtree) to re-trigger iframe height measurement when AI-generated SPAs swap page content via innerHTML, fixing the issue where the iframe height was measured once on load and never updated during navigation.
• Even stronger language for preventing the AI of repeating HTML code after calling the tool

v1.0.14

v1.0.14

Inline Visualizer v1.4.2

Added

• Added MORE defensive guards against common AI-generated HTML issues: a feedback-loop detector that stops iframe height from growing infinitely and CSS variable aliases preventing dark-mode-only fallback colors from rendering in light mode.

v1.0.13

v1.0.13

Inline Visualizer v1.4.1

Added

• Added defensive guards against common AI-generated HTML issues: a feedback-loop detector that stops iframe height from growing infinitely when content uses viewport-relative units like 100vh, and CSS variable aliases (--foreground, --surface-1, --muted-foreground, --border, etc.) that map hallucinated shadcn/Tailwind variable names to the real design system, preventing dark-mode-only fallback colors from rendering in light mode.

v1.0.12

v1.0.12

MCP App Bridge v0.5.0

Added

• Sends prompt together with Rich UI back to the AI model to steer chat behaviour better

Inline Visualizer v1.4.0

Added

• Sends prompt together with Rich UI back to the AI model to steer chat behaviour better

v1.0.11

v1.0.11

MCP App Bridge v0.4.2

Added

• Further improvements to the tool prompts for the model to more intuitively use the tools available.

v1.0.10

v1.0.10

MCP App Bridge v0.4.1

Added

• Further improvements to the tool prompts for the model to more intuitively use the tools available.

v1.0.9

v1.0.9

MCP App Bridge v0.4.0

Added

• Honor maxHeight from tool _meta.ui metadata — apps using height:100% / flex layouts (e.g. DICOM viewer) now render at the correct size instead of collapsing to their intrinsic content height
• Inject min-height CSS on html,body when maxHeight is declared by the server, so flex-based apps get a proper container to expand into
• Use maxHeight as a floor in the auto-height reporting script — if scrollHeight is smaller than maxHeight, report maxHeight to the parent frame
• New _extract_ui_meta() helper to read the full _meta.ui dict from tool definitions

Changed

• Tool class docstring now instructs the model to check list_mcp_tools when the user references a capability it doesn't natively have list_mcp_tools docstring updated to explicitly say "call this first" for unfamiliar capabilities
• Refactored _extract_ui_resource_uri() to use _extract_ui_meta() internally

v1.0.8

v1.0.8

MCP App Bridge v0.3.0

Added

• AppBridge shim: dispatches ui/notifications/tool-result as a synthetic MessageEvent per the MCP Apps spec, so apps built with the official AppBridge SDK work out of the box
• Includes structuredContent when the tool result is valid JSON
• Works without iframe same-origin — no parent page access needed

v1.0.7

v1.0.7

MCP App Bridge v0.2.0

Added

• Initial release
• Connect to any MCP server via streamable HTTP
• Discover tools with list_mcp_tools — shows name, description, and whether each tool has a UI resource
• Execute tools with call_mcp_tool — calls the tool on the MCP server
• Detect _meta.ui.resourceUri (ui://) on tools per the MCP Apps extension
• Fetch UI resource HTML and inject tool result data (__MCP_TOOL_RESULT__, __MCP_TOOL_ARGS__, __MCP_TOOL_NAME__)
• Render fetched HTML as a Rich UI embed via HTMLResponse — using Open WebUI's existing iframe system
• Support for both nested (_meta.ui.resourceUri) and flat (_meta["ui/resourceUri"]) metadata formats
• Bearer token authentication via Valves
• Server-declared CSP enforcement per the MCP Apps spec (SEP-1865)
  • Reads _meta.ui.csp from resource metadata
  • Translates connectDomains, resourceDomains, frameDomains, baseUriDomains to proper CSP directives
  • Applies restrictive default CSP when the server declares none
• Auto-height script injection so MCP App embeds resize to fit their content
• MCP dynamic tool discovery (list_mcp_tools / call_mcp_tool) aligning with Anthropic's Tool Search Tool pattern
• Demo MCP server in examples/test_server.py for quick local testing