GitHub user Moosheimer created a discussion: Make HTML sanitization whitelist user-configurable (opt-in)
**Problem:** Superset’s strict frontend HTML sanitization prevents rendering of safe tags like `<b>` and `<li>`, even in trusted environments. This blocks important formatting for pre-tagged data (formatted data exists in database). **Proposed Solution:** Add a user-configurable option (e.g., in superset_config.py or UI) to extend or override the frontend sanitizer whitelist, with clear warnings and opt-in gating. **Risk Mitigation:** - Restrict to admin users or trusted deployments - Add prominent warnings in the config - Document XSS risks and best practices **Use Case:** We run Superset on a secured intranet with trusted data sources and need to render existing HTML formatting in tables/charts (the data comes from the database with existing HTML tags.). **Alternatives tried:** Backend config, data preprocessing, and Markdown components—all insufficient for our needs. GitHub link: https://github.com/apache/superset/discussions/36815 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
