Re: [PR] chore: replace `querystring` usage with native `URLSearchParams` API [superset]

Sat, 28 Jun 2025 22:16:21 -0700 


korbit-ai[bot] commented on code in PR #33967:
URL: https://github.com/apache/superset/pull/33967#discussion_r2173600289


##########
superset-frontend/src/pages/ChartCreation/index.tsx:
##########
@@ -206,7 +205,7 @@ export class ChartCreation extends PureComponent<
   }
 
   componentDidMount() {
-    const params = querystring.parse(window.location.search)?.dataset as 
string;
+    const params = new URLSearchParams(window.location.search).get('dataset');

Review Comment:
   ### Unvalidated URL Parameter Usage <sub>![category 
Security](https://img.shields.io/badge/Security-e11d48)</sub>
   
   <details>
     <summary>Tell me more</summary>
   
   ###### What is the issue?
   Direct use of unvalidated URL parameters which could be used for XSS attacks
   
   
   ###### Why this matters
   If an attacker crafts a malicious dataset parameter value, it could lead to 
script injection when the value is later used in the DOM or API calls
   
   ###### Suggested change ∙ *Feature Preview*
   ```typescript
   // Add input validation before using the parameter
   const rawDataset = new 
URLSearchParams(window.location.search).get('dataset');
   const params = rawDataset ? encodeURIComponent(rawDataset.trim()) : null;
   ```
   
   
   ###### Provide feedback to improve future suggestions
   [![Nice 
Catch](https://img.shields.io/badge/👍%20Nice%20Catch-71BC78)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/ddce5bef-1a9a-4692-a637-d68ab5afa3b6/upvote)
 
[![Incorrect](https://img.shields.io/badge/👎%20Incorrect-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/ddce5bef-1a9a-4692-a637-d68ab5afa3b6?what_not_true=true)
  [![Not in 
Scope](https://img.shields.io/badge/👎%20Out%20of%20PR%20scope-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/ddce5bef-1a9a-4692-a637-d68ab5afa3b6?what_out_of_scope=true)
 [![Not in coding 
standard](https://img.shields.io/badge/👎%20Not%20in%20our%20standards-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/ddce5bef-1a9a-4692-a637-d68ab5afa3b6?what_not_in_standard=true)
 
[![Other](https://img.shields.io/badge/👎%20Other-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/ddce5bef-1a9a-4692-a637-d68ab5afa3b6)
   </details>
   
   <sub>
   
   💬 Looking for more details? Reply to this comment to chat with Korbit.
   </sub>
   
   <!--- korbi internal id:e107e10a-3329-49c4-b51d-128f5e9cbe6a -->
   
   
   [](e107e10a-3329-49c4-b51d-128f5e9cbe6a)



##########
superset-frontend/.eslintrc.js:
##########
@@ -69,6 +69,10 @@ const restrictedImportsRules = {
     message:
       'Please use the theme directly from the ThemeProvider rather than 
importing supersetTheme.',
   },
+  'no-query-string': {
+    name: 'query-string',
+    message: 'Please use the URLSearchParams API instead of query-string.',
+  },

Review Comment:
   ### Incomplete Migration Guidance in ESLint Rule Message <sub>![category 
Readability](https://img.shields.io/badge/Readability-0284c7)</sub>
   
   <details>
     <summary>Tell me more</summary>
   
   ###### What is the issue?
   The error message for the 'no-query-string' ESLint rule lacks important 
context about the URLSearchParams API compatibility requirements.
   
   
   ###### Why this matters
   Without compatibility information, developers might switch to 
URLSearchParams without checking browser support requirements or considering 
polyfills, potentially causing runtime errors.
   
   ###### Suggested change ∙ *Feature Preview*
     'no-query-string': {
       name: 'query-string',
       message: 'Please use the URLSearchParams API instead of query-string. 
Ensure browser compatibility (IE11+ with polyfill, modern browsers natively).',
     },
   
   
   ###### Provide feedback to improve future suggestions
   [![Nice 
Catch](https://img.shields.io/badge/👍%20Nice%20Catch-71BC78)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/16ff4edf-5076-4c55-9a6a-8c5a9dcec00c/upvote)
 
[![Incorrect](https://img.shields.io/badge/👎%20Incorrect-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/16ff4edf-5076-4c55-9a6a-8c5a9dcec00c?what_not_true=true)
  [![Not in 
Scope](https://img.shields.io/badge/👎%20Out%20of%20PR%20scope-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/16ff4edf-5076-4c55-9a6a-8c5a9dcec00c?what_out_of_scope=true)
 [![Not in coding 
standard](https://img.shields.io/badge/👎%20Not%20in%20our%20standards-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/16ff4edf-5076-4c55-9a6a-8c5a9dcec00c?what_not_in_standard=true)
 
[![Other](https://img.shields.io/badge/👎%20Other-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/16ff4edf-5076-4c55-9a6a-8c5a9dcec00c)
   </details>
   
   <sub>
   
   💬 Looking for more details? Reply to this comment to chat with Korbit.
   </sub>
   
   <!--- korbi internal id:b03aed8a-3a7b-454c-96ef-9818da1b66c2 -->
   
   
   [](b03aed8a-3a7b-454c-96ef-9818da1b66c2)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to