GitHub user dosubot[bot] added a comment to the discussion: HandleBars Js adding script
<!-- Answer --> Superset enforces a strict Content Security Policy (CSP) that blocks most inline JavaScript, including event handlers like onclick and <script> tags from user content, even if you add a nonce. This is intentional for security reasons and not a misconfiguration. Only scripts with a valid nonce generated by the backend (using the Jinja macro csp_nonce()) can run, and even then, user-supplied HTML is sanitized to remove scripts and event handlers to prevent XSS attacks. So, adding JS functions like onClick directly in your Handlebars template or HTML won't work in Superset by design [docs](https://github.com/apache/superset/blob/7b6885a020af6c55fd6661ca766ebc18399c9496/docs/docs/security/security.mdx). If you need interactive behavior, you’ll need to implement it in a custom Superset plugin or extension, not via inline scripts or HTML in dashboards. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/5d62b4aa-21dd-454d-90bf-f1559f822dfc?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/5d62b4aa-21dd-454d-90bf-f1559f822dfc?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/5d62b4aa-21dd-454d-90bf-f1559f822dfc?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/5d62b4aa-21dd-454d-90bf-f1559f822dfc?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/5d62b4aa-21dd-454d-90bf-f1559f822dfc?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/5d62b4aa-21dd-454d-90bf-f1559f822dfc?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/5d62b4aa-21dd-454d-90bf-f1559f822dfc?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/33778) GitHub link: https://github.com/apache/superset/discussions/33778#discussioncomment-13482660 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
