GitHub user dosubot[bot] added a comment to the discussion: Superset V6.0 - Table chart now longer shows bold text with HTML <b> tag in columns
<!-- Answer --> Strict HTML sanitization in Superset is enforced to prevent XSS vulnerabilities, even for tags like `<b>` and `<li>`, because any HTML tag—if not properly sanitized—can be abused for script injection or layout manipulation, especially in environments where user input is not fully controlled. This is why Superset’s frontend only allows a limited set of tags (like `<span>`, `<img>`, `<a>`, table elements) and excludes others, regardless of backend config or intranet deployment [source](https://github.com/apache/superset/issues/36779). Currently, there’s no supported way to disable or fully customize frontend sanitization for table/chart cells; backend settings like `HTML_SANITIZATION_SCHEMA_EXTENSIONS` do not override this enforcement [source](https://github.com/apache/superset/issues/35182). The whitelist is hardcoded in the frontend and can only be changed by modifying the source code and rebuilding, which is not recommended due to security risks and project policy [source](https://github.com/apache/superset/issues/33865). This secure-by-default approach is required by Apache Foundation guidelines and recent updates have made sanitization even stricter [source](https://github.com/apache/superset/pull/36513). There are no current plans or features to make this user-configurable, but your use case (trusted intranet, need for custom tags) is valid and has come up in community discussions. If you want to propose a feature, it helps to describe your environment, why you need specific tags, and how you’d mitigate risks if sanitization were relaxed. For now, the only workaround is to use tags and attributes allowed by the sanitizer (e.g., `<span style="font-weight:bold">`), but even these may not work in all contexts due to frontend restrictions. Markdown components in dashboards may offer more flexibility, but table/chart cells remain strictly sanitized. Let me know if you want details on how to safely modify the frontend whitelist or draft a feature proposal for more flexible sanitization. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/c81283ce-080f-4155-9e92-b3248b02b9f8?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/c81283ce-080f-4155-9e92-b3248b02b9f8?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/c81283ce-080f-4155-9e92-b3248b02b9f8?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/c81283ce-080f-4155-9e92-b3248b02b9f8?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/c81283ce-080f-4155-9e92-b3248b02b9f8?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/c81283ce-080f-4155-9e92-b3248b02b9f8?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/c81283ce-080f-4155-9e92-b3248b02b9f8?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=Strict%20HTML%20sanitization%20in%20Superset%20is%20enforced%20to%20prevent%20XSS%20vulnerabilities%2C%20even%20for%20tags%20like%20%60%3Cb%3E%60%20and%20%60%3Cli%3E%60%2C%20because%20any%20HTML%20tag%E2%80%94if%20not%20properly%20sanitized%E2%80%94can%20be%20abused%20for%20script%20injection%20or%20layout%20manipulation%2C%20especially%20in%20environments%20where%20user%20input%20is%20not%20fully%20controlled.%20This%20is%20why%20Superset%E2%80%99s%20frontend%20only%20allows%20a%20limited%20set%20of%20tags%20%28like%20%60%3Cspan%3E%60%2C%20%60%3Cimg%3E%60%2C%20%60%3Ca%3E%60%2C%20table%20elements%29%20and%20excludes%20others%2C%20regardless%20of%20backend%20config%20or%20intranet%20deployment%20%5Bsource%5D%28https%3A//github.com/apache/superset/issue s/36779%29.%0A%0ACurrently%2C%20there%E2%80%99s%20no%20supported%20way%20to%20disable%20or%20fully%20customize%20frontend%20sanitization%20for%20table/chart%20cells%3B%20backend%20settings%20like%20%60HTML_SANITIZATION_SCHEMA_EXTENSIONS%60%20do%20not%20override%20this%20enforcement%20%5Bsource%5D%28https%3A//github.com/apache/superset/issues/35182%29.%20The%20whitelist%20is%20hardcoded%20in%20the%20frontend%20and%20can%20only%20be%20changed%20by%20modifying%20the%20source%20code%20and%20rebuilding%2C%20which%20is%20not%20recommended%20due%20to%20security%20risks%20and%20project%20policy%20%5Bsource%5D%28https%3A//github.com/apache/superset/issues/33865%29.%0A%0AThis%20secure-by-default%20approach%20is%20required%20by%20Apache%20Foundation%20guidelines%20and%20recent%20updates%20have%20made%20sanitization%20even%20stricter%20%5Bsource%5D%28https%3A//github.com/apache/superset/pull/36513%29.%20There%20are%20no%20current%20plans%20or%20features%20to%20make%20this%20user-configurable%2C %20but%20your%20use%20case%20%28trusted%20intranet%2C%20need%20for%20custom%20tags%29%20is%20valid%20and%20has%20come%20up%20in%20community%20discussions.%20If%20you%20want%20to%20propose%20a%20feature%2C%20it%20helps%20to%20describe%20your%20environment%2C%20why%20you%20need%20specific%20tags%2C%20and%20how%20you%E2%80%99d%20mitigate%20risks%20if%20sanitization%20were%20relaxed.%0A%0AFor%20now%2C%20the%20only%20workaround%20is%20to%20use%20tags%20and%20attributes%20allowed%20by%20the%20sanitizer%20%28e.g.%2C%20%60%3Cspan%20style%3D%22font-weight%3Abold%22%3E%60%29%2C%20but%20even%20these%20may%20not%20work%20in%20all%20contexts%20due%20to%20frontend%20restrictions.%20Markdown%20components%20in%20dashboards%20may%20offer%20more%20flexibility%2C%20but%20table/chart%20cells%20remain%20strictly%20sanitized.%0A%0ALet%20me%20know%20if%20you%20want%20details%20on%20how%20to%20safely%20modify%20the%20frontend%20whitelist%20or%20draft%20a%20feature%20proposal%20for%20more%20flexible%20sanit ization.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36799) GitHub link: https://github.com/apache/superset/discussions/36799#discussioncomment-15327330 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
