fertek commented on issue #33455: URL: https://github.com/apache/superset/issues/33455#issuecomment-2990443233
I think `HTML_SANITIZATION_SCHEMA_EXTENSIONS` only affects the client-side Markdown sanitizer. The **Description** field of charts is sanitized **server-side** in [superset.utils.core.markdown()](https://github.com/apache/superset/blob/93583220a7aa4debeaf3fd4a6cade9f771ee8c2f/superset/utils/core.py#L442-L486) with `nh3`, whose default whitelist does not include `target`. Therefore, links like `<a href="https://example.com"; target="_blank">link</a>` still lose the attribute. Below is a monkey-patch that may help others until the whitelist is extended: ```python from superset.utils import core as superset_core # keep original function for later use _original_clean = superset_core.nh3.clean def clean_allow_target(html, *, tags=None, attributes=None, **kwargs): """Wrapper over nh3.clean – adds 'target' to <a>.""" if attributes is not None: attrs_a = set(attributes.get("a", ())) attrs_a.add("target") attributes["a"] = attrs_a return _original_clean(html, tags=tags, attributes=attributes, **kwargs) # monkey-patch nh3.clean globally superset_core.nh3.clean = clean_allow_target ``` This keeps the original sanitization but whitelists target. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
