potiuk commented on code in PR #35460:
URL: https://github.com/apache/airflow/pull/35460#discussion_r1382638206
##########
airflow/www/views.py:
##########
@@ -1952,30 +1952,51 @@ def trigger(self, dag_id: str, session: Session =
NEW_SESSION):
# Prepare form fields with param struct details to render a proper
form with schema information
form_fields = {}
+ allow_html_in_dag_docs = conf.getboolean("webserver",
"allow_html_in_dag_docs")
+ form_trust_problems = []
for k, v in dag.params.items():
form_fields[k] = v.dump()
+ form_field: dict = form_fields[k]
# If no schema is provided, auto-detect on default values
- if "schema" not in form_fields[k]:
- form_fields[k]["schema"] = {}
- if "type" not in form_fields[k]["schema"]:
- if isinstance(form_fields[k]["value"], bool):
- form_fields[k]["schema"]["type"] = "boolean"
- elif isinstance(form_fields[k]["value"], int):
- form_fields[k]["schema"]["type"] = ["integer", "null"]
- elif isinstance(form_fields[k]["value"], list):
- form_fields[k]["schema"]["type"] = ["array", "null"]
- elif isinstance(form_fields[k]["value"], dict):
- form_fields[k]["schema"]["type"] = ["object", "null"]
- # Mark markup fields as safe
- if (
- "description_html" in form_fields[k]["schema"]
- and form_fields[k]["schema"]["description_html"]
- ):
- form_fields[k]["description"] =
Markup(form_fields[k]["schema"]["description_html"])
- if "custom_html_form" in form_fields[k]["schema"]:
- form_fields[k]["schema"]["custom_html_form"] = Markup(
- form_fields[k]["schema"]["custom_html_form"]
- )
+ if "schema" not in form_field:
+ form_field["schema"] = {}
+ form_field_schema: dict = form_field["schema"]
+ if "type" not in form_field_schema:
+ form_field_value = form_field["value"]
+ if isinstance(form_field_value, bool):
+ form_field_schema["type"] = "boolean"
+ elif isinstance(form_field_value, int):
+ form_field_schema["type"] = ["integer", "null"]
+ elif isinstance(form_field_value, list):
+ form_field_schema["type"] = ["array", "null"]
+ elif isinstance(form_field_value, dict):
+ form_field_schema["type"] = ["object", "null"]
+ # Mark HTML fields as safe if allowed
+ if allow_html_in_dag_docs:
+ if "description_html" in form_field_schema:
+ form_field["description"] =
Markup(form_field_schema["description_html"])
+ if "custom_html_form" in form_field_schema:
+ form_field_schema["custom_html_form"] =
Markup(form_field_schema["custom_html_form"])
+ else:
+ if "description_html" in form_field_schema and
"description_md" not in form_field_schema:
+ form_trust_problems.append(f"Field {k} uses HTML
description")
+ form_field["description"] =
form_field_schema.pop("description_html")
+ if "custom_html_form" in form_field_schema:
+ form_trust_problems.append(f"Field {k} uses custom HTML
form definition")
+ form_field_schema.pop("custom_html_form")
+ if "description_md" in form_field_schema:
+ form_field["description"] =
wwwutils.wrapped_markdown(form_field_schema["description_md"])
+ if form_trust_problems:
+ flash(
+ Markup(
+ f"At least one field in trigger form uses custom HTML form
definition. This is not allowed per "
+ "configuration for security. Change
<code>allow_html_in_dag_docs</code> to enable HTML. "
Review Comment:
```suggestion
"configuration for security. Switch to markdown
description via <code>description_md</code> "
"or ask your deployment manager to change
<code>webserver.allow_html_in_dag_docs</code> "
"configuration parameter to enable HTML. "
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
