guan404ming commented on code in PR #54166:
URL: https://github.com/apache/airflow/pull/54166#discussion_r2261862538
##########
providers/standard/src/airflow/providers/standard/example_dags/example_hitl_operator.py:
##########
@@ -125,10 +125,11 @@ def notify(self, context: Context) -> None:
task_id="valid_input_and_options",
subject="Are the following input and options valid?",
body="""
- Input: {{
ti.xcom_pull(task_ids='wait_for_input')["params_input"]["information"] }}
- Option: {{ ti.xcom_pull(task_ids='wait_for_option')["chosen_options"]
}}
- Multiple Options: {{
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
- Timeout Option: {{
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
+**Collected Information**
+- Input: {{
ti.xcom_pull(task_ids='wait_for_input')["params_input"]["information"] }}
+- Option: {{ ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
+- Multiple Options: {{
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
+- Timeout Option: {{
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
Review Comment:
> Markdown is "safe" in the way that it only allows formatting and NOT
embedding JS code. We use Markdown also for Dag Docs and other Trigger form
elements.
Agreed with @jscheffl. We also have certain protections in the frontend,
such as using a component whitelist in
[ReactMarkdown.tsx](https://github.com/apache/airflow/blob/main/airflow-core/src/airflow/ui/src/components/ReactMarkdown.tsx)
and passing `skipHTML` to prevent XSS. Therefore, in my opinion, the frontend
is relatively safe with protections.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
