zhaoyongjie commented on code in PR #21895:
URL: https://github.com/apache/superset/pull/21895#discussion_r1014153722
##########
superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown.tsx:
##########
@@ -16,38 +16,44 @@
* specific language governing permissions and limitations
* under the License.
*/
-
-import React from 'react';
-import ReactMarkdown, { MarkdownAbstractSyntaxTree } from 'react-markdown';
-// @ts-ignore no types available
-import htmlParser from 'react-markdown/plugins/html-parser';
-
+import React, { useMemo } from 'react';
+import ReactMarkdown from 'react-markdown';
+import rehypeSanitize, { defaultSchema } from 'rehype-sanitize';
+import rehypeRaw from 'rehype-raw';
+import { merge } from 'lodash';
import { FeatureFlag, isFeatureEnabled } from '../utils';
interface SafeMarkdownProps {
source: string;
+ htmlSanitization?: boolean;
+ htmlSchemaOverrides?: typeof defaultSchema;
}
-function isSafeMarkup(node: MarkdownAbstractSyntaxTree) {
- return node.type === 'html' && node.value
- ? !/(href|src)="(javascript|vbscript|file):.*"/gim.test(node.value)
- : true;
-}
+function SafeMarkdown({
+ source,
+ htmlSanitization = true,
+ htmlSchemaOverrides = {},
+}: SafeMarkdownProps) {
+ const displayHtml = isFeatureEnabled(FeatureFlag.DISPLAY_MARKDOWN_HTML);
+ const escapeHtml = isFeatureEnabled(FeatureFlag.ESCAPE_MARKDOWN_HTML);
+
+ const rehypePlugins = useMemo(() => {
+ const rehypePlugins: any = [];
+ if (displayHtml && !escapeHtml) {
+ rehypePlugins.push(rehypeRaw);
+ if (htmlSanitization) {
+ const schema = merge(defaultSchema, htmlSchemaOverrides);
+ rehypePlugins.push([rehypeSanitize, schema]);
+ }
+ }
+ return rehypePlugins;
+ }, [displayHtml, escapeHtml, htmlSanitization, htmlSchemaOverrides]);
Review Comment:
Hi @villebro @michael-s-molina, I thought the dynamic feature flag might not
be a good approach. The reason is that
1) There are some FF not only on the frontend but also on the backend. for
example, `ENABLE_TEMPLATE_PROCESSING`. so it's hard to set a FF by dynamic.
2) Some FF is designed for security, for example,
`ENABLE_EXPLORE_JSON_CSRF_PROTECTION`,
`ENABLE_TEMPLATE_PROCESSING`, and `ENABLE_TEMPLATE_REMOVE_FILTERS`. The
system administrator does not allow users to modify these config dynamically.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
