mcp-ui-playground
by ShreeMulay
Overview
Building interactive UI components for AI chat applications using the MCP-UI SDK.
Installation
bun run dev:serverSecurity Notes
The server generates UIResources with `text/html` content by directly embedding tool input parameters (e.g., `title`, `description`, `name`, `text`, `location`) into HTML strings without proper HTML escaping. This creates a significant Cross-Site Scripting (XSS) vulnerability if any of these inputs originate from untrusted sources (e.g., user prompts to an AI agent that invokes these tools). For example, if a tool's `title` parameter contains `<script>alert('XSS')</script>`, it would be directly rendered and executed in the client's iframe. The `application/vnd.mcp-ui.remote-dom` content type involves sending JavaScript code to the client for dynamic DOM manipulation; while the client is intended to run this in a sandboxed environment, this approach inherently carries higher risk compared to static HTML if client-side sandboxing mechanisms are compromised or misconfigured.
Similar Servers
leanmcp-sdk
Building production-ready Model Context Protocol (MCP) servers with TypeScript, supporting features like authentication, elicitation, and UI integration for AI agents.
tiny-robot
A Vue 3 component library and AI interaction kit for building AI-powered frontend applications, providing UI components and a unified API interface to interact with various large AI models.
mcp-typescript-starter
A feature-complete Model Context Protocol (MCP) server template in TypeScript demonstrating all major MCP features for AI assistant interaction.
mcp-chat-client
A modern chat client that integrates with Model Context Protocol (MCP) servers to provide AI-powered conversations with access to various tools and resources.