A library for building sqlite readers in web applications.
This project emerged as an abstraction of the sqlite-viewer application.
See demos.
npm install sqlite-view<div id="sqlite-viewer"></div>
<script type="module">
import SqliteView from "sqlite-view";
const viewer = new SqliteView("sqlite-view");
viewer.load("/path/to/db.sqlite");
</script><div id="sqlite-viewer"></div>
<script type="module">
import SqliteView from "https://unpkg.com/sqlite-view/sqlite-view.js";
const viewer = new SqliteView("sqlite-viewer");
viewer.load(
"https://ryneeverett.gitlab.io/sqlite-view/sqlite-viewer/examples/Chinook_Sqlite.sqlite",
);
</script>npm install sqlite-view vite
export PATH="$PATH:$PWD/node_modules/.bin"
vite build node_modules/sqlite-view --outDir "$(pwd)/sqlite-view"The string id of an existing element in the DOM where sqlite-view will inject the reader.
An optional object of configurations:
choicesConfig: An object of which is passed directly to Choices configuration.
Either a string url path or a ByteArray of a database.
nix-shellnpm installnpm run servenpm testThis runs the build, unit tests, integration tests, and other checks. The main difference between the two test suites is that the unit tests are run from within the browser context whereas the integration tests are run from outside the browser context (nodejs server).
npm version <version>
Database contents are escaped before injection in order to mitigate XSS.
However, databases of untrusted construction could perform sql injection via table names. Sqlite does not support table name parameterization and sqlite does not have any restrictions on table name validity, so there is necessarily a trade-off between supporting all valid sqlite databases and avoiding sql injection. Currently the former is chosen and no escaping of table names is done. It's likely that sql.js also does not have the threat model of maliciously-constructed databases in mind and that even with mitigations in place it would still be insecure to load untrusted databases.