rusackas opened a new pull request, #40602: URL: https://github.com/apache/superset/pull/40602
### SUMMARY The deck.gl chart plugins execute several `form_data` fields as JavaScript at render time through the frontend `sandboxedEval` helper. To keep this behavior gated behind the `ENABLE_JAVASCRIPT_CONTROLS` feature flag (which defaults to **off**), the backend strips those keys from `form_data` in `get_form_data` when the flag is disabled. The strip list (`REJECTED_FORM_DATA_KEYS` in `superset/views/utils.py`) only covered three of the keys: ```python ["js_tooltip", "js_onclick_href", "js_data_mutator"] ``` However, the Geojson layer also evaluates two more fields via `sandboxedEval`: - `label_javascript_config_generator` - `icon_javascript_config_generator` (see `plugins/preset-chart-deckgl/src/layers/Geojson/Geojson.tsx` and the legacy `legacy-preset-chart-deckgl` equivalent). Because these two were not in the strip list, they were retained in `form_data` and executed client-side **even when `ENABLE_JAVASCRIPT_CONTROLS` is disabled** — bypassing the intended gate for those fields. This change: - Adds the two missing keys to the strip list. - Centralizes the full set of JS-executed keys in a named `JS_CONTROL_FORM_DATA_KEYS` constant, with a comment noting it must stay in sync with the `sandboxedEval(fd.<key>)` call sites in the deck.gl plugins. - Adds unit tests asserting that every JS-executed key is rejected when the flag is off, which also guards against future call sites being added without updating the list. No behavior change when `ENABLE_JAVASCRIPT_CONTROLS` is enabled. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — backend form_data handling. ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/views/test_utils.py ``` - `test_rejected_form_data_keys_cover_all_js_control_keys` — every JS-executed key is in the strip list when the flag is off. - `test_get_form_data_strips_js_control_keys` — `get_form_data` drops all of them and preserves non-JS keys. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
