codeant-ai-for-open-source[bot] commented on code in PR #40546:
URL: https://github.com/apache/superset/pull/40546#discussion_r3328289754
##########
superset-frontend/packages/superset-ui-core/src/components/ListViewCard/index.tsx:
##########
@@ -140,7 +141,7 @@ const ThinSkeleton = styled(Skeleton)`
const paragraphConfig = { rows: 1, width: 150 };
const AnchorLink: FC<LinkProps> = ({ to, children }) => (
- <a href={to}>{children}</a>
+ <a href={sanitizeUrl(to)}>{children}</a>
Review Comment:
**Suggestion:** `url` is optional for this card component, and multiple
callers pass `undefined` to make cards non-clickable (for example in
bulk-select states). Sanitizing `to` unconditionally here converts an absent
link into a concrete `href` value, so cards that should not navigate can start
opening a blank/sanitized target when clicked. Only apply sanitization when
`to` is a real URL and keep `href` unset when no destination is provided.
[logic error]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ Bulk-select chart cards navigate instead of toggling selection.
- ❌ Bulk-select dashboard cards can navigate to placeholder URLs.
- ⚠️ Tag cards become clickable despite undefined destination URLs.
- ⚠️ Loading cards may briefly navigate to sanitized placeholder URLs.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. The home page component at
`superset-frontend/src/pages/Home/index.tsx:55,407-413`
renders `ChartTable`, which in turn maps chart data to `ChartCard` instances
with the
`bulkSelectEnabled` prop passed through
(`superset-frontend/src/features/home/ChartTable.tsx:216-27`).
2. In `ChartCard`
(`superset-frontend/src/features/charts/ChartCard.tsx:168-247`), when
bulk-select mode is enabled (`bulkSelectEnabled` is true), the
`ListViewCard` is rendered
with `url={bulkSelectEnabled ? undefined : chart.url}` (line ~187), so the
`url` prop
received by `ListViewCard` is `undefined` in bulk-select state.
3. Inside `ListViewCard`
(`superset-frontend/packages/superset-ui-core/src/components/ListViewCard/index.tsx:147-176`),
the `Link` component is chosen as `url && linkComponent ? linkComponent :
AnchorLink`
(line 166) and then used as `<Link to={url!}>` around the cover image (line
175); with
`url` being `undefined`, this resolves `Link` to `AnchorLink` and calls it
with
`to={undefined}`.
4. `AnchorLink` is implemented in the same file as `<a
href={sanitizeUrl(to)}>{children}</a>` (lines 143-145), so when `to` is
`undefined` the
sanitizer produces a concrete safe URL (e.g. `'about:blank'` instead of
leaving `href`
unset). As a result, the chart cards rendered in bulk-select mode become
real `<a>` links
with a non-empty `href`, and clicking them in the UI will trigger browser
navigation to
the sanitized URL instead of behaving as non-clickable bulk-select cards,
matching the
regression described in the suggestion.
```
</details>
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=0a785b636353470887c151aea1ae7671&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=0a785b636353470887c151aea1ae7671&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:**
superset-frontend/packages/superset-ui-core/src/components/ListViewCard/index.tsx
**Line:** 144:144
**Comment:**
*Logic Error: `url` is optional for this card component, and multiple
callers pass `undefined` to make cards non-clickable (for example in
bulk-select states). Sanitizing `to` unconditionally here converts an absent
link into a concrete `href` value, so cards that should not navigate can start
opening a blank/sanitized target when clicked. Only apply sanitization when
`to` is a real URL and keep `href` unset when no destination is provided.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40546&comment_hash=b6dad2fe6bf3e3826bfc8e2ec758ce7da14286524e2d857c3e4c5d35c07f3adb&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40546&comment_hash=b6dad2fe6bf3e3826bfc8e2ec758ce7da14286524e2d857c3e4c5d35c07f3adb&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
