Re: [PR] feat: Allow superset to be deployed under a prefixed URL [superset]

Mon, 27 Jan 2025 00:59:04 -0800 


martyngigg commented on code in PR #30134:
URL: https://github.com/apache/superset/pull/30134#discussion_r1930170846


##########
superset-frontend/src/utils/getBootstrapData.ts:
##########
@@ -25,3 +26,17 @@ export default function getBootstrapData(): BootstrapData {
   const dataBootstrap = appContainer?.getAttribute('data-bootstrap');
   return dataBootstrap ? JSON.parse(dataBootstrap) : DEFAULT_BOOTSTRAP_DATA;
 }
+
+// eslint-disable-next-line import/no-mutable-exports
+const APPLICATION_ROOT_NO_TRAILING_SLASH =
+  getBootstrapData().common.application_root.replace(/\/$/, '');
+
+/**
+ * @param dom_sanitize If true, run the application root through dompurify 
before returning
+ * @returns The configured application root
+ */
+export function applicationRoot(dom_sanitize = false): string {
+  return dom_sanitize
+    ? DOMPurify.sanitize(APPLICATION_ROOT_NO_TRAILING_SLASH)

Review Comment:
   This was an attempt to address a security warning that CodeQL highlighted in 
multiple places when assigning the result of the new `ensureAppRootSanitized` 
function in `pathUtils` to a `href` element, for example:
   
   <img width="821" alt="image" 
src="https://github.com/user-attachments/assets/f07a1797-d98e-49ff-982c-6e092e235f36";
 />
   
   Reflecting on this, yes that will be a lot of repeated work (and I'm not 
crazy about the new names `ensureAppRootSanitized` & `ensureAppRootUnsanitized` 
in `pathUtils` but I at least wanted to be clear they were doing something with 
the root itself).
   
   Would an acceptable solution for this case be to cache it as a module level 
variable in `getBootstrapData`? while a wider solution to reparsing the 
bootstrap data and centralizing the routing code is created? 
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to