michael-s-molina commented on code in PR #21895:
URL: https://github.com/apache/superset/pull/21895#discussion_r1014160589
##########
superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown.tsx:
##########
@@ -16,38 +16,44 @@
* specific language governing permissions and limitations
* under the License.
*/
-
-import React from 'react';
-import ReactMarkdown, { MarkdownAbstractSyntaxTree } from 'react-markdown';
-// @ts-ignore no types available
-import htmlParser from 'react-markdown/plugins/html-parser';
-
+import React, { useMemo } from 'react';
+import ReactMarkdown from 'react-markdown';
+import rehypeSanitize, { defaultSchema } from 'rehype-sanitize';
+import rehypeRaw from 'rehype-raw';
+import { merge } from 'lodash';
import { FeatureFlag, isFeatureEnabled } from '../utils';
interface SafeMarkdownProps {
source: string;
+ htmlSanitization?: boolean;
+ htmlSchemaOverrides?: typeof defaultSchema;
}
-function isSafeMarkup(node: MarkdownAbstractSyntaxTree) {
- return node.type === 'html' && node.value
- ? !/(href|src)="(javascript|vbscript|file):.*"/gim.test(node.value)
- : true;
-}
+function SafeMarkdown({
+ source,
+ htmlSanitization = true,
+ htmlSchemaOverrides = {},
+}: SafeMarkdownProps) {
+ const displayHtml = isFeatureEnabled(FeatureFlag.DISPLAY_MARKDOWN_HTML);
+ const escapeHtml = isFeatureEnabled(FeatureFlag.ESCAPE_MARKDOWN_HTML);
+
+ const rehypePlugins = useMemo(() => {
+ const rehypePlugins: any = [];
+ if (displayHtml && !escapeHtml) {
+ rehypePlugins.push(rehypeRaw);
+ if (htmlSanitization) {
+ const schema = merge(defaultSchema, htmlSchemaOverrides);
+ rehypePlugins.push([rehypeSanitize, schema]);
+ }
+ }
+ return rehypePlugins;
+ }, [displayHtml, escapeHtml, htmlSanitization, htmlSchemaOverrides]);
Review Comment:
I think all of these problems can be addressed in a future configuration
module. We can choose what properties we expose to the module and also add the
necessary logic to change backend flags.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
