github-advanced-security[bot] commented on code in PR #39925:
URL: https://github.com/apache/superset/pull/39925#discussion_r3203330594
##########
superset-frontend/src/utils/navigationUtils.ts:
##########
@@ -16,8 +16,93 @@
* specific language governing permissions and limitations
* under the License.
*/
+import { createElement, type AnchorHTMLAttributes, type ReactElement } from
'react';
import { ensureAppRoot } from './pathUtils';
+//
=============================================================================
+// Channel-3 helpers (browser-direct sinks)
+//
=============================================================================
+//
+// Every helper in this section takes a *router-relative* path (the same shape
+// you'd pass to `<Link to>` or `history.push`) and applies the application
+// root internally before handing the URL to the browser. This keeps the rest
+// of the codebase decision-free: callers always write `/sqllab`, never
+// `${applicationRoot()}/sqllab`.
+//
+// Once migration is complete, `ensureAppRoot` and `makeUrl` are imported only
+// from this module. A static-invariant test (see
+// `navigationUtils.invariants.test.ts`) enforces that boundary.
+//
=============================================================================
+
+/**
+ * Features passed to `window.open` for new-tab navigation. `noopener` and
+ * `noreferrer` are mandatory — without them the opened page can drive the
+ * opener via `window.opener` (reverse tabnabbing) and read the referrer.
+ */
+const NEW_TAB_FEATURES = 'noopener noreferrer';
+
+/**
+ * Open a router-relative path in a new browser tab.
+ *
+ * The path is automatically prefixed with the application root so the new tab
+ * lands inside Superset on subdirectory deployments.
+ */
+export function openInNewTab(path: string): void {
+ window.open(ensureAppRoot(path), '_blank', NEW_TAB_FEATURES);
+}
+
+/**
+ * Navigate the current window to a router-relative path via `window.location`.
+ *
+ * Unlike `history.push`, this triggers a full page load. Use it only when the
+ * destination is outside the React Router tree (e.g. a backend-rendered page)
+ * or when a hard reload is required.
+ */
+export function redirect(path: string): void {
+ window.location.href = ensureAppRoot(path);
Review Comment:
## CodeQL / DOM text reinterpreted as HTML
[DOM text](1) is reinterpreted as HTML without escaping meta-characters.
[Show more
details](https://github.com/apache/superset/security/code-scanning/2279)
##########
superset-frontend/src/utils/navigationUtils.ts:
##########
@@ -16,8 +16,93 @@
* specific language governing permissions and limitations
* under the License.
*/
+import { createElement, type AnchorHTMLAttributes, type ReactElement } from
'react';
import { ensureAppRoot } from './pathUtils';
+//
=============================================================================
+// Channel-3 helpers (browser-direct sinks)
+//
=============================================================================
+//
+// Every helper in this section takes a *router-relative* path (the same shape
+// you'd pass to `<Link to>` or `history.push`) and applies the application
+// root internally before handing the URL to the browser. This keeps the rest
+// of the codebase decision-free: callers always write `/sqllab`, never
+// `${applicationRoot()}/sqllab`.
+//
+// Once migration is complete, `ensureAppRoot` and `makeUrl` are imported only
+// from this module. A static-invariant test (see
+// `navigationUtils.invariants.test.ts`) enforces that boundary.
+//
=============================================================================
+
+/**
+ * Features passed to `window.open` for new-tab navigation. `noopener` and
+ * `noreferrer` are mandatory — without them the opened page can drive the
+ * opener via `window.opener` (reverse tabnabbing) and read the referrer.
+ */
+const NEW_TAB_FEATURES = 'noopener noreferrer';
+
+/**
+ * Open a router-relative path in a new browser tab.
+ *
+ * The path is automatically prefixed with the application root so the new tab
+ * lands inside Superset on subdirectory deployments.
+ */
+export function openInNewTab(path: string): void {
+ window.open(ensureAppRoot(path), '_blank', NEW_TAB_FEATURES);
+}
+
+/**
+ * Navigate the current window to a router-relative path via `window.location`.
+ *
+ * Unlike `history.push`, this triggers a full page load. Use it only when the
+ * destination is outside the React Router tree (e.g. a backend-rendered page)
+ * or when a hard reload is required.
+ */
+export function redirect(path: string): void {
+ window.location.href = ensureAppRoot(path);
+}
+
+/**
+ * Replace the current entry in `window.history` with a router-relative path.
+ * No new history entry is pushed. Use sparingly — most navigation should go
+ * through React Router's `history.replace`.
+ */
+export function redirectReplace(path: string): void {
+ window.location.replace(ensureAppRoot(path));
Review Comment:
## CodeQL / DOM text reinterpreted as HTML
[DOM text](1) is reinterpreted as HTML without escaping meta-characters.
[Show more
details](https://github.com/apache/superset/security/code-scanning/2280)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
