Re: [PR] fix(config): add iframe support to HTML_SANITIZATION_SCHEMA_EXTENSIONS [superset]

Thu, 15 Jan 2026 14:33:17 -0800 


gabotorresruiz commented on code in PR #37104:
URL: https://github.com/apache/superset/pull/37104#discussion_r2696193789


##########
docker/pythonpath_dev/superset_config.py:
##########
@@ -117,6 +117,27 @@ class CeleryConfig:
 log_level_text = os.getenv("SUPERSET_LOG_LEVEL", "INFO")
 LOG_LEVEL = getattr(logging, log_level_text.upper(), logging.INFO)
 
+# Allow iframes in Markdown components (for embedding YouTube videos, etc.)
+HTML_SANITIZATION_SCHEMA_EXTENSIONS = {
+    "tagNames": ["iframe"],
+    "attributes": {
+        "iframe": [
+            "src",
+            "width",
+            "height",
+            "frameborder",
+            "allow",
+            "allowfullscreen",
+            "title",
+            "referrerpolicy",
+            "sandbox",

Review Comment:
   Consider adding the `loading` attribute to the allowed list. This enables 
native lazy loading for `iframes`, which can significantly improve page 
performance by deferring off-screen `iframes` until the user scrolls near them.



##########
docker/pythonpath_dev/superset_config.py:
##########
@@ -117,6 +117,27 @@ class CeleryConfig:
 log_level_text = os.getenv("SUPERSET_LOG_LEVEL", "INFO")
 LOG_LEVEL = getattr(logging, log_level_text.upper(), logging.INFO)
 
+# Allow iframes in Markdown components (for embedding YouTube videos, etc.)
+HTML_SANITIZATION_SCHEMA_EXTENSIONS = {
+    "tagNames": ["iframe"],
+    "attributes": {
+        "iframe": [
+            "src",
+            "width",
+            "height",
+            "frameborder",

Review Comment:
   Minor note: The `frameborder` attribute is deprecated in `HTML5` (use CSS 
`border: none` instead), but including it doesn't hurt for backward 
compatibility.
   
   Reference: 
https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/iframe#frameborder



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to