Splash

Latest version: v3.5

Safety actively analyzes 710445 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 4 of 8

2.0.1

Not secure
------------------

This is a bugfix release:

* XSS in HTTP UI is fixed;
* Splash-Jupyter docker image is fixed.

2.0

Not secure
* many Splash HTTP UI improvements;
* better support for :ref:`binary data <binary-data>`;
* built-in :ref:`lib-json` and :ref:`lib-base64` libraries;
* more :ref:`control <lib-treat>` for result serialization
(support for JSON arrays and raw bytes);
* it is now possible to turn Private mode OFF at startup using command-line
option or at runtime using :ref:`splash-private-mode-enabled` attribute;
* :ref:`http-ping` endpoint is added;
* cookie handling is fixed;
* downloader efficiency is improved;
* request processing is stopped when client disconnects;
* logging inside callbacks now uses proper verbosity;
* sandbox memory limit for user objects is increased to 50MB;
* some sandboxing issues are fixed;
* :ref:`splash-evaljs` and :ref:`splash-jsfunc` results are sanitized better;
* it is possible to pass arguments when starting Splash-Jupyter - it means
now you can get a browser window for splash-jupyter when it is executed
from docker;
* proxy authentication is fixed;
* logging improvements: logs now contain request arguments in JSON format;
errors are logged;

There are **backwards-incompatible** changes
to :ref:`Splash Scripting <scripting-tutorial>`: previously, different
Splash methods were returning/receiving inconsistent
response and request objects. For example, :ref:`splash-http-get` response was
not in the same format as ``response`` received by :ref:`splash-on-response`
callbacks. Splash 2.0 uses :ref:`Request <splash-request>` and
:ref:`Response <splash-response>` objects consistently.
Unfortunately this requires changes to existing user scripts:

* replace ``resp = splash:http_get(...)`` and ``resp = splash:http_post(...)``
with ``resp = splash:http_get(...).info`` and
``resp = splash:http_post(...).info``. Client code also may need to be
changed: the default encoding of ``info['content']['text']`` is now base64.
If you used ``resp.content.text`` consider switching to
:ref:`splash-response-body`.

* ``response`` object received by :ref:`splash-on-response-headers` and
:ref:`splash-on-response` callbacks is changed: instead of
``response.request`` write ``response.request.info``.

Serialization of JS objects in :ref:`splash-jsfunc`, :ref:`splash-evaljs`
and :ref:`splash-wait-for-resume` **is changed**: circular objects are
no longer returned, Splash doesn't try to serialize DOM elements, and error
messages are changed.

Splash **no longer supports** QT-based disk cache; it was disable by default
and it usage was discouraged since Splash 1.0, in Splash 2.0 ``--cache``
command-line option is removed. For HTTP cache there are better options like
`Squid <http://www.squid-cache.org/>`_.

Another **backwards-incompatible** change is that Splash-as-a-proxy feature
is removed. Please use regular HTTP API instead of this proxy interface.
Of course, Splash will still support using proxies to make requests,
these are two different features.

1.8

Not secure
----------------

New features:

* POST requests support: :ref:`http_method <arg-http-method>` and
:ref:`body <arg-body>` arguments for render endpoints;
new :ref:`splash-go` arguments: ``body``, ``http_method`` and ``formdata``;
new :ref:`splash-http-post` method.
* Errors are now returned in JSON format; error mesages became more detailed;
Splash UI now displays detailed error information.
* new :ref:`splash-call-later` method which allows to schedule tasks in future;
* new :ref:`splash-on-response` method allows to register a callback to be
executed after each response;
* proxy can now be set directly, without using proxy profiles - there is a new
:ref:`proxy <arg-proxy>` argument for render endpoints;
* more detailed :ref:`splash-go` errors: a new "render_error" error type can
be reported;
* new :ref:`splash-set-result-status-code` method;
* new :ref:`splash-resource-timeout` attribute as a shortcut for
``request:set_timeout`` in :ref:`splash-on-request`;
* new :ref:`splash-get-version` method;
* new :ref:`splash-autoload-reset`, :ref:`splash-on-response-reset`,
:ref:`splash-on-request-reset`, :ref:`splash-on-response-headers-reset`,
:ref:`splash-har-reset` methods and a new ``reset=true`` argument for
:ref:`splash-har`. They are most useful with Splash-Jupyter.

Bug fixes and improvements:

* fixed an issue: proxies were not applied for POST requests;
* improved argument validation for various methods;
* more detailed logs;
* it is now possible to load a combatibility shim for window.localStorage;
* code coverage integration;
* improved Splash-Jupyter tests;
* Splash-Jupyter is upgraded to Jupyter 4.0.

1.7

Not secure
----------------

New features:

* :ref:`render.jpeg` endpoint and :ref:`splash-jpeg` function allow to take
screenshots in JPEG format;
* :ref:`splash-on-response-headers` Lua function and
:ref:`allowed_content_types <arg-allowed-content-types>` /
:ref:`forbidden_content_types <arg-forbidden-content-types>` HTTP arguments
allow to discard responses earlier based on their headers;
* :ref:`splash-images-enabled` attribute to enable/disable images from
Lua scripts;
* :ref:`splash-js-enabled` attribute to enable/disable JS processing from
Lua scripts;
* :ref:`splash-set-result-header` method for setting custom HTTP headers
returned to Splash clients;
* :ref:`resource_timeout <arg-resource-timeout>` argument for setting network
request timeouts in render endpoints;
* ``request:set_timeout(timeout)`` method (ses :ref:`splash-on-request`)
for setting request timeouts from Lua scripts;
* SOCKS5 proxy support: new 'type' argument
in :ref:`proxy profile <proxy profiles>` config files
and ``request:set_proxy`` method (ses :ref:`splash-on-request`)
* enabled HTTPS proxying;

Other changes:

* HTTP error detection is improved;
* MS fonts are added to the Docker image for better rendering quality;
* Chinese fonts are added to the Docker image to enable rendering of Chinese
websites;
* validation of ``timeout`` and ``wait`` arguments is improved;
* documentation: grammar is fixed in the tutorial;
* assorted documentation improvements and code cleanups;
* ``splash:set_images_enabled`` method is deprecated.

1.6

Not secure
----------------

The main new feature in Splash 1.6 is :ref:`splash-on-request` function
which allows to process individual outgoing requests: log, abort,
change them.

Other improvements:

* a new :ref:`http-gc` endpoint which allows to clear QWebKit caches;
* Docker images are updated with more recent package versions;
* HTTP arguments validation is improved;
* serving Splash UI under HTTPS is fixed.
* documentation improvements and typo fixes.

1.5

Not secure
----------------

In this release we introduce :ref:`Splash-Jupyter <splash-jupyter>` - a
web-based IDE for Splash Lua scripts with syntax highlighting, autocompletion
and a connected live browser window. It is implemented as a kernel for
Jupyter (IPython).

Docker images for Splash 1.5 are optimized - download size is much smaller
than in previous releases.

Other changes:

* :ref:`splash:go() <splash-go>` returned incorrect result after an
unsuccessful splash:go() call - this is fixed;
* Lua ``main`` function can now return multiple results;
* there are testing improvements and internal cleanups.

Page 4 of 8

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.