jedcunningham commented on code in PR #35460:
URL: https://github.com/apache/airflow/pull/35460#discussion_r1385810730
##########
docs/apache-airflow/core-concepts/params.rst:
##########
@@ -324,9 +325,18 @@ For examples also please take a look to two example DAGs
provided: ``example_par
.. image:: ../img/trigger-dag-tutorial-form.png
.. versionadded:: 2.7.0
-
-The trigger form can also be forced to be displayed also if no params are
defined using the configuration switch
-``webserver.show_trigger_form_if_no_params``.
+ The trigger form can also be forced to be displayed also if no params are
defined using the configuration switch
+ ``webserver.show_trigger_form_if_no_params``.
+
+.. versionchanged:: 2.8.0
+ Per default custom HTML is not allowed to prevent injection of scripts or
other malicious HTML code. If you trust your DAG authors
Review Comment:
```suggestion
By default custom HTML is not allowed to prevent injection of scripts or
other malicious HTML code. If you trust your DAG authors
```
##########
newsfragments/35460.significant.rst:
##########
@@ -0,0 +1,10 @@
+Per default raw HTML code in DAG docs and DAG params descriptions is disabled
with 2.8.0.
Review Comment:
```suggestion
Raw HTML code in DAG docs and DAG params descriptions is disabled by default
```
No need to duplicate the version, it's in the 2.8.0 release section.
##########
airflow/www/views.py:
##########
@@ -1952,30 +1952,52 @@ def trigger(self, dag_id: str, session: Session =
NEW_SESSION):
# Prepare form fields with param struct details to render a proper
form with schema information
form_fields = {}
+ allow_html_in_dag_docs = conf.getboolean("webserver",
"allow_html_in_dag_docs")
+ form_trust_problems = []
for k, v in dag.params.items():
form_fields[k] = v.dump()
+ form_field: dict = form_fields[k]
# If no schema is provided, auto-detect on default values
- if "schema" not in form_fields[k]:
- form_fields[k]["schema"] = {}
- if "type" not in form_fields[k]["schema"]:
- if isinstance(form_fields[k]["value"], bool):
- form_fields[k]["schema"]["type"] = "boolean"
- elif isinstance(form_fields[k]["value"], int):
- form_fields[k]["schema"]["type"] = ["integer", "null"]
- elif isinstance(form_fields[k]["value"], list):
- form_fields[k]["schema"]["type"] = ["array", "null"]
- elif isinstance(form_fields[k]["value"], dict):
- form_fields[k]["schema"]["type"] = ["object", "null"]
- # Mark markup fields as safe
- if (
- "description_html" in form_fields[k]["schema"]
- and form_fields[k]["schema"]["description_html"]
- ):
- form_fields[k]["description"] =
Markup(form_fields[k]["schema"]["description_html"])
- if "custom_html_form" in form_fields[k]["schema"]:
- form_fields[k]["schema"]["custom_html_form"] = Markup(
- form_fields[k]["schema"]["custom_html_form"]
- )
+ if "schema" not in form_field:
+ form_field["schema"] = {}
+ form_field_schema: dict = form_field["schema"]
+ if "type" not in form_field_schema:
+ form_field_value = form_field["value"]
+ if isinstance(form_field_value, bool):
+ form_field_schema["type"] = "boolean"
+ elif isinstance(form_field_value, int):
+ form_field_schema["type"] = ["integer", "null"]
+ elif isinstance(form_field_value, list):
+ form_field_schema["type"] = ["array", "null"]
+ elif isinstance(form_field_value, dict):
+ form_field_schema["type"] = ["object", "null"]
+ # Mark HTML fields as safe if allowed
+ if allow_html_in_dag_docs:
+ if "description_html" in form_field_schema:
+ form_field["description"] =
Markup(form_field_schema["description_html"])
+ if "custom_html_form" in form_field_schema:
+ form_field_schema["custom_html_form"] =
Markup(form_field_schema["custom_html_form"])
+ else:
+ if "description_html" in form_field_schema and
"description_md" not in form_field_schema:
+ form_trust_problems.append(f"Field {k} uses HTML
description")
+ form_field["description"] =
form_field_schema.pop("description_html")
+ if "custom_html_form" in form_field_schema:
Review Comment:
Are we missing a deprecation warning when folks do use this?
##########
airflow/config_templates/config.yml:
##########
@@ -1821,6 +1821,17 @@ webserver:
type: boolean
example: ~
default: "False"
+ allow_html_in_dag_docs:
Review Comment:
Not sure about the name of this. It implies its only dag docs, but it covers
more than that. Maybe `allow_unsafe_html`?
##########
docs/apache-airflow/core-concepts/params.rst:
##########
@@ -324,9 +325,18 @@ For examples also please take a look to two example DAGs
provided: ``example_par
.. image:: ../img/trigger-dag-tutorial-form.png
.. versionadded:: 2.7.0
-
-The trigger form can also be forced to be displayed also if no params are
defined using the configuration switch
-``webserver.show_trigger_form_if_no_params``.
+ The trigger form can also be forced to be displayed also if no params are
defined using the configuration switch
+ ``webserver.show_trigger_form_if_no_params``.
+
+.. versionchanged:: 2.8.0
+ Per default custom HTML is not allowed to prevent injection of scripts or
other malicious HTML code. If you trust your DAG authors
+ you can change the trust level of parameter descriptions to allow raw HTML
by setting the configuration entry
+ ``webserver.allow_html_in_dag_docs`` to ``True``. With the default setting
all HTML will be displayed as plain text.
+ This relates to the previous feature to enable rich formatting with the
attribute ``description_html`` which is now super-seeded
+ with the attribute ``description_md``.
+ Custom form elements using the attribute ``custom_html_form`` are allowing
a DAG author to specify raw HTML form templates. These
Review Comment:
```suggestion
Custom form elements using the attribute ``custom_html_form`` allow a
DAG author to specify raw HTML form templates. These
```
##########
docs/apache-airflow/core-concepts/params.rst:
##########
@@ -324,9 +325,18 @@ For examples also please take a look to two example DAGs
provided: ``example_par
.. image:: ../img/trigger-dag-tutorial-form.png
.. versionadded:: 2.7.0
-
-The trigger form can also be forced to be displayed also if no params are
defined using the configuration switch
-``webserver.show_trigger_form_if_no_params``.
+ The trigger form can also be forced to be displayed also if no params are
defined using the configuration switch
+ ``webserver.show_trigger_form_if_no_params``.
+
+.. versionchanged:: 2.8.0
+ Per default custom HTML is not allowed to prevent injection of scripts or
other malicious HTML code. If you trust your DAG authors
+ you can change the trust level of parameter descriptions to allow raw HTML
by setting the configuration entry
+ ``webserver.allow_html_in_dag_docs`` to ``True``. With the default setting
all HTML will be displayed as plain text.
+ This relates to the previous feature to enable rich formatting with the
attribute ``description_html`` which is now super-seeded
+ with the attribute ``description_md``.
+ Custom form elements using the attribute ``custom_html_form`` are allowing
a DAG author to specify raw HTML form templates. These
+ custom HTML form elements are with version 2.8.0 deprecated and will be
replaced with a newer and more secure option in a future
+ release.
Review Comment:
```suggestion
custom HTML form elements are deprecated as of version 2.8.0.
```
Do we have a plan for replacing this with something else? I'd rather we
don't mention it if we don't know if/what we will do.
##########
newsfragments/35460.significant.rst:
##########
@@ -0,0 +1,10 @@
+Per default raw HTML code in DAG docs and DAG params descriptions is disabled
with 2.8.0.
+
+To ensure that no malicious javascript can be injected with DAG descriptions
or trigger UI forms by DAG authors
+a new parameter ``webserver.allow_html_in_dag_docs`` was added with default
value of ``False``.
+If you trust your DAG authors code and want to allow using raw HTML in DAG
descriptions and params and restore the previous
+behavior you must set the configuration value to ``True``.
+
+To ensure Airflow is secure by default, the raw HTML support in trigger UI has
been super-seeded by markdown support via
+the ``description_md`` attribute. If you have been using ``description_html``
please migrate to ``description_md``.
+The ``custom_html_form`` is now deprecated and will be replaced by a more
secure feature in a future release.
Review Comment:
```suggestion
The ``custom_html_form`` is now deprecated.
```
Same here.
##########
newsfragments/35460.significant.rst:
##########
@@ -0,0 +1,10 @@
+Per default raw HTML code in DAG docs and DAG params descriptions is disabled
with 2.8.0.
+
+To ensure that no malicious javascript can be injected with DAG descriptions
or trigger UI forms by DAG authors
+a new parameter ``webserver.allow_html_in_dag_docs`` was added with default
value of ``False``.
+If you trust your DAG authors code and want to allow using raw HTML in DAG
descriptions and params and restore the previous
+behavior you must set the configuration value to ``True``.
Review Comment:
```suggestion
If you trust your DAG authors code and want to allow using raw HTML in DAG
descriptions and params, you can restore the previous
behavior by setting the configuration value to ``True``.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
