codeant-ai-for-open-source[bot] commented on code in PR #37104:
URL: https://github.com/apache/superset/pull/37104#discussion_r2687038485
##########
docker/pythonpath_dev/superset_config.py:
##########
@@ -117,6 +117,27 @@ class CeleryConfig:
log_level_text = os.getenv("SUPERSET_LOG_LEVEL", "INFO")
LOG_LEVEL = getattr(logging, log_level_text.upper(), logging.INFO)
+# Allow iframes in Markdown components (for embedding YouTube videos, etc.)
+HTML_SANITIZATION_SCHEMA_EXTENSIONS = {
+ "tagNames": ["iframe"],
+ "attributes": {
+ "iframe": [
+ "src",
+ "width",
+ "height",
+ "frameborder",
+ "allow",
+ "allowfullscreen",
+ "title",
+ "referrerpolicy",
+ "sandbox",
+ ],
Review Comment:
**Suggestion:** Many embed snippets and responsive iframe wrappers rely on
inline `style` attributes (for example to control max-width or aspect ratio);
`style` is not currently allowed on iframes so such layout/customization will
be stripped—add `style` to the allowed attributes if you expect inline styling
to be preserved. [possible bug]
**Severity Level:** Critical 🚨
```suggestion
"style",
```
<details>
<summary><b>Why it matters? ⭐ </b></summary>
Many embed snippets rely on inline style for sizing/aspect-ratio;
disallowing style will strip those and break common responsive embeds. Allowing
'style' in the dev schema is a reasonable functional enhancement, but it should
be accompanied by CSS/value restrictions or a sanitizer that handles style
safely.
</details>
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** docker/pythonpath_dev/superset_config.py
**Line:** 134:134
**Comment:**
*Possible Bug: Many embed snippets and responsive iframe wrappers rely
on inline `style` attributes (for example to control max-width or aspect
ratio); `style` is not currently allowed on iframes so such
layout/customization will be stripped—add `style` to the allowed attributes if
you expect inline styling to be preserved.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
```
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
