rusackas opened a new pull request, #40620: URL: https://github.com/apache/superset/pull/40620
### SUMMARY `tipFactory` in `superset-frontend/plugins/legacy-preset-chart-nvd3/src/utils.ts` creates the d3-tip tooltip used for chart **annotation layers**. Its `.html()` callback built a tooltip string by interpolating the annotation layer's title column value (`d[layer.titleColumn]`) and description column values (`d[c]`) and returned it **without sanitization**. d3-tip inserts that string as `innerHTML`, and these values come from the annotation data source query, so they are data-controlled. The other tooltip builders in this same module (`generateCompareTooltipContent`, `generateTimePivotTooltip`) already run their output through `dompurify.sanitize`; the annotation path was the exception. This change: - Extracts the HTML construction into a small pure, exported function `generateAnnotationTooltipContent(layer, d)` (matching the file's existing pattern of standalone tooltip-content helpers, and making it unit-testable without depending on d3-tip internals). - Runs that output through `dompurify.sanitize` before returning it. - Leaves `tipFactory`'s behavior otherwise unchanged (including the existing empty-`d` guard). Exploitability is limited — annotation layers are typically admin-configured — so this is a defense-in-depth fix aligning the annotation tooltip with the rest of the module. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — sanitized HTML; no visual change for legitimate annotation data. ### TESTING INSTRUCTIONS ``` cd superset-frontend npm run test -- plugins/legacy-preset-chart-nvd3/test/utils.test.ts ``` Added tests under `generateAnnotationTooltipContent()`: - renders title + description for normal data, - falls back to the layer name when the title column is empty, - strips an `onerror` event-handler payload from the title column, - strips a `<script>` payload from a description column. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
