aminghadersohi commented on PR #40342: URL: https://github.com/apache/superset/pull/40342#issuecomment-4567307326
Applied Richard's latest round of review feedback from #40344 and #40348 — cross-applicable patterns updated here. Specifically: tightened `json_metadata` sanitization in the annotation serializer to use `excluded_field_names=frozenset()`, so every string leaf in that arbitrary user-controlled JSON blob is wrapped in `<UNTRUSTED-CONTENT>` regardless of key name (e.g. `url`, `uuid`, `schema`). This follows the stricter pattern Richard flagged for opaque JSON payloads in his latest review on #40344. Other new concerns in that round (dttm type normalization, config/feature-flag guards for log/task tools, report schema permission gap) are specific to those PRs and don't have equivalents in the annotation layer tools. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
