mistercrunch commented on code in PR #30134:
URL: https://github.com/apache/superset/pull/30134#discussion_r1931312172
##########
superset-frontend/src/utils/getBootstrapData.ts:
##########
@@ -25,3 +26,17 @@ export default function getBootstrapData(): BootstrapData {
const dataBootstrap = appContainer?.getAttribute('data-bootstrap');
return dataBootstrap ? JSON.parse(dataBootstrap) : DEFAULT_BOOTSTRAP_DATA;
}
+
+// eslint-disable-next-line import/no-mutable-exports
+const APPLICATION_ROOT_NO_TRAILING_SLASH =
+ getBootstrapData().common.application_root.replace(/\/$/, '');
+
+/**
+ * @param dom_sanitize If true, run the application root through dompurify
before returning
+ * @returns The configured application root
+ */
+export function applicationRoot(dom_sanitize = false): string {
+ return dom_sanitize
+ ? DOMPurify.sanitize(APPLICATION_ROOT_NO_TRAILING_SLASH)
Review Comment:
Not a security expert but from my understanding CodeQL is worried about
dom-injection-type attacks, which probably don't apply to our usage in most
cases (?). Pretty sure it wouldn't apply to the APP_ROOT that's coming from a
trusted place (served by the backend) That would only apply in some specific
cases. I'd assume that React anchor tags and react-router would already take
care of that.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
