michellethomas opened a new pull request #4842: Cleaning html tags from text URL: https://github.com/apache/incubator-superset/pull/4842 There are a few cases where we are using d3.html() which intentionally doesn't escape html. In these cases if a user has data with html tags we are not escaping it so some js can be executed. For example if a group by column in a table has an html tag with an onerror, the onerror will get executed in the browser when the table renders. Initially I tried to do this in some central place so that we didn't have to go into individual files in /visualizations but when looking into it more, it seems to happen when we are using d3.html(). Let me know if there's a better way to do this. I may have missed a few cases, mainly trying to quickly get a fix out for the most used visualizations. @mistercrunch @graceguo-supercat
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
