sha174n commented on code in PR #40502:
URL: https://github.com/apache/superset/pull/40502#discussion_r3321250484
##########
superset-frontend/plugins/legacy-plugin-chart-rose/src/Rose.ts:
##########
@@ -146,24 +147,32 @@ function Rose(element: HTMLElement, props: RoseProps):
void {
function legendData(adatum: RoseData) {
return adatum[times[0]].map((v: RoseDataEntry, i: number) => ({
disabled: state.disabled[i],
- key: v.name,
+ // nvd3-fork's legend currently renders `key` via .text(), so raw
+ // markup would be escaped today. Sanitize at the data boundary
+ // anyway: it makes the safety property a local invariant rather
+ // than depending on the vendored legend's render choice.
+ key: sanitizeHtml(v.name),
Review Comment:
Addressed in 02dbe782e8: reverted the legend key to the raw v.name so it
matches the value used for arc fills (legend renders key via .text(), so the
raw value is escaped at the DOM sink).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
