rusackas opened a new pull request, #40619: URL: https://github.com/apache/superset/pull/40619
### SUMMARY Several tooltip generators in `legacy-preset-chart-nvd3/src/utils.ts` build HTML strings from chart data and return them to be rendered via D3 `.html()`, but — unlike their sibling generators in the same file (`generateCompareTooltipContent`, `generateTimePivotTooltip`) which already call `dompurify.sanitize()` — they returned the HTML unsanitized: - `generateBubbleTooltipContent` (entity / group / color) - `generateMultiLineTooltipContent` (series keys) - `tipFactory` annotation tooltip callback (title / description columns) This applies `dompurify.sanitize()` to the returned HTML in all three, so data-derived values render as text rather than markup. Consistent with the existing pattern in the file; no change to legitimate tooltip output. ### TESTING INSTRUCTIONS ```bash cd superset-frontend && npx jest plugins/legacy-preset-chart-nvd3/test/utils.test.ts ``` Adds regression tests asserting that script/handler markup placed in the data-derived fields is stripped from the generated tooltip HTML (12/12 pass). ### ADDITIONAL INFORMATION - [ ] Has associated issue: n/a - [ ] Changes UI: No - [ ] Includes DB Migration: No - [ ] Introduces new feature or API: No - [ ] Removes existing feature or API: No 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
