sha174n opened a new pull request, #40502:
URL: https://github.com/apache/superset/pull/40502
This PR routes annotation tooltip content in the legacy NVD3 charts through
DOMPurify before handing it to d3-tip's `.html()` sink, aligning with the
sanitization pattern already applied to the sibling tooltip helpers in the
same file (`generateCompareTooltipContent`, `generateTimePivotTooltip`).
**Changes**
- Wrap the HTML returned from `tipFactory()` in
`superset-frontend/plugins/legacy-preset-chart-nvd3/src/utils.ts` with
`dompurify.sanitize(...)` so annotation title/body values are sanitized
consistently with neighbouring tooltip generators in the file.
**Testing**
- Existing unit tests for the package continue to pass.
- Manual verification: annotation tooltips still render expected text;
HTML-bearing payloads are stripped to safe content by DOMPurify.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
