nagarwal-godaddy commented on code in PR #36606:
URL: https://github.com/apache/superset/pull/36606#discussion_r2703136237
##########
superset-frontend/plugins/plugin-chart-pivot-table/src/react-pivottable/TableRenderers.jsx:
##########
@@ -703,7 +705,9 @@ export class TableRenderer extends Component {
true,
)}
>
- {t('Subtotal')}
+ {t('Subvalue (%(aggregatorName)s)', {
Review Comment:
This is a false positive. The existing "Total" labels in the same file use
the identical pattern without `safeHtmlSpan` (lines 521, 589, 817):
```
{t('Total (%(aggregatorName)s)', {
aggregatorName: t(this.props.aggregatorName),
})}
```
The aggregatorName is not user-controlled input - it's a predefined
aggregation function name ("Sum", "Average", "Count", etc.) passed from
component props. The t() i18n function handles interpolation safely and escapes
any potential HTML.
Adding safeHtmlSpan here would be inconsistent with the rest of the
codebase and unnecessary since there's no XSS vector - the aggregator names are
hardcoded strings from the aggregator definitions, not user input.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
