mistercrunch commented on code in PR #30134:
URL: https://github.com/apache/superset/pull/30134#discussion_r1930020931
##########
superset-frontend/src/utils/getBootstrapData.ts:
##########
@@ -25,3 +26,17 @@ export default function getBootstrapData(): BootstrapData {
const dataBootstrap = appContainer?.getAttribute('data-bootstrap');
return dataBootstrap ? JSON.parse(dataBootstrap) : DEFAULT_BOOTSTRAP_DATA;
}
+
+// eslint-disable-next-line import/no-mutable-exports
+const APPLICATION_ROOT_NO_TRAILING_SLASH =
+ getBootstrapData().common.application_root.replace(/\/$/, '');
+
+/**
+ * @param dom_sanitize If true, run the application root through dompurify
before returning
+ * @returns The configured application root
+ */
+export function applicationRoot(dom_sanitize = false): string {
+ return dom_sanitize
+ ? DOMPurify.sanitize(APPLICATION_ROOT_NO_TRAILING_SLASH)
Review Comment:
I'm not sure if i understand why we need to sanitize the app route every
time we read it(?) Seems it'd be a very static thing(?) Do we have trust issues
with the bootstrap data? Also concerned about parsing/reparsing bootstrap data
every time we read print a URL. Assuming just the basic menu has dozens of
links, we'd be running `JSON.parse` for each one?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
