Re: [PR] refactor: Allow superset to be deployed under a prefixed URL [superset]

[via GitHub]

github-advanced-security[bot] commented on code in PR #30134:
URL: https://github.com/apache/superset/pull/30134#discussion_r1925566521


##########
superset-frontend/src/features/home/ChartTable.tsx:
##########
@@ -193,7 +194,7 @@
             ),
             buttonStyle: 'tertiary',
             onClick: () => {
-              window.location.assign('/chart/add');
+              window.location.assign(ensureAppRootSanitized('/chart/add'));

Review Comment:
   ## DOM text reinterpreted as HTML
   
   [DOM text](1) is reinterpreted as HTML without escaping meta-characters.
   
   [Show more 
details](https://github.com/apache/superset/security/code-scanning/1255)



##########
superset-frontend/src/features/home/DashboardTable.tsx:
##########
@@ -196,19 +197,20 @@
             ),
             buttonStyle: 'tertiary',
             onClick: () => {
-              window.location.assign('/dashboard/new');
+              window.location.assign(ensureAppRootSanitized('/dashboard/new'));

Review Comment:
   ## DOM text reinterpreted as HTML
   
   [DOM text](1) is reinterpreted as HTML without escaping meta-characters.
   
   [Show more 
details](https://github.com/apache/superset/security/code-scanning/1256)



##########
superset-frontend/src/features/home/EmptyState.tsx:
##########
@@ -171,7 +173,7 @@
         <Button
           buttonStyle="primary"
           onClick={() => {
-            window.location.href = favRedirects[tableName];
+            window.location.href = 
ensureAppRootSanitized(favRedirects[tableName]);

Review Comment:
   ## DOM text reinterpreted as HTML
   
   [DOM text](1) is reinterpreted as HTML without escaping meta-characters.
   
   [Show more 
details](https://github.com/apache/superset/security/code-scanning/1257)



##########
superset-frontend/src/features/home/RightMenu.tsx:
##########
@@ -461,7 +462,7 @@
                         {menu.label}
                       </Link>
                     ) : (
-                      <a href={menu.url}>
+                      <a href={ensureAppRootSanitized(menu.url || '')}>

Review Comment:
   ## DOM text reinterpreted as HTML
   
   [DOM text](1) is reinterpreted as HTML without escaping meta-characters.
   
   [Show more 
details](https://github.com/apache/superset/security/code-scanning/1258)



##########
superset-frontend/src/pages/AnnotationLayerList/index.tsx:
##########
@@ -277,7 +278,7 @@
   };
 
   const onLayerAdd = (id?: number) => {
-    window.location.href = `/annotationlayer/${id}/annotation`;
+    window.location.href = 
ensureAppRootSanitized(`/annotationlayer/${id}/annotation`);

Review Comment:
   ## DOM text reinterpreted as HTML
   
   [DOM text](1) is reinterpreted as HTML without escaping meta-characters.
   
   [Show more 
details](https://github.com/apache/superset/security/code-scanning/1261)



##########
superset-frontend/src/dashboard/components/SaveModal.tsx:
##########
@@ -154,7 +155,9 @@
     } else {
       this.onSave(data, dashboardId, saveType).then((resp: JsonResponse) => {
         if (saveType === SAVE_TYPE_NEWDASHBOARD && resp.json?.result?.id) {
-          window.location.href = `/superset/dashboard/${resp.json.result.id}/`;
+          window.location.href = ensureAppRootSanitized(
+            `/superset/dashboard/${resp.json.result.id}/`,
+          );

Review Comment:
   ## DOM text reinterpreted as HTML
   
   [DOM text](1) is reinterpreted as HTML without escaping meta-characters.
   
   [Show more 
details](https://github.com/apache/superset/security/code-scanning/1254)



##########
superset-frontend/src/features/home/RightMenu.tsx:
##########
@@ -496,7 +497,9 @@
                       {isFrontendRoute(child.url) ? (
                         <Link to={child.url || ''}>{menuItemDisplay}</Link>
                       ) : (
-                        <a href={child.url}>{menuItemDisplay}</a>
+                        <a href={ensureAppRootSanitized(child.url || '')}>

Review Comment:
   ## DOM text reinterpreted as HTML
   
   [DOM text](1) is reinterpreted as HTML without escaping meta-characters.
   
   [Show more 
details](https://github.com/apache/superset/security/code-scanning/1259)



##########
superset-frontend/src/pages/DashboardList/index.tsx:
##########
@@ -682,7 +683,7 @@
       ),
       buttonStyle: 'primary',
       onClick: () => {
-        window.location.assign('/dashboard/new');
+        window.location.assign(ensureAppRootSanitized('/dashboard/new'));

Review Comment:
   ## DOM text reinterpreted as HTML
   
   [DOM text](1) is reinterpreted as HTML without escaping meta-characters.
   
   [Show more 
details](https://github.com/apache/superset/security/code-scanning/1262)



##########
superset-frontend/src/features/home/SavedQueries.tsx:
##########
@@ -264,7 +266,7 @@
             name: t('View All »'),
             buttonStyle: 'link',
             onClick: () => {
-              window.location.href = '/savedqueryview/list';
+              window.location.href = 
ensureAppRootSanitized('/savedqueryview/list');

Review Comment:
   ## DOM text reinterpreted as HTML
   
   [DOM text](1) is reinterpreted as HTML without escaping meta-characters.
   
   [Show more 
details](https://github.com/apache/superset/security/code-scanning/1260)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org