rusackas opened a new pull request, #40627: URL: https://github.com/apache/superset/pull/40627
### SUMMARY The shared HTML sanitizer in `superset-ui-core` (`utils/html.tsx`) allows inline `style` attributes on a set of whitelisted elements, but it disabled CSS value validation by setting `css: false` on the `FilterXSS` instance. With validation disabled, any CSS property — including layout and positioning properties such as `position`, `z-index`, `width`, and `height` — passed through untouched. This change replaces `css: false` with a restrictive CSS property allowlist limited to safe presentational properties (`color`, `background-color`, `font-*`, `text-*`, spacing, borders, etc.). The `xss` library validates declared properties against this allowlist and also validates their values, so unsupported constructs (e.g. `url(...)`, `expression(...)`) are stripped as well. This sanitizer is reachable when markup is rendered with HTML rendering enabled (e.g. table/pivot cells with `allow_render_html`), so tightening the allowlist hardens that path while keeping ordinary presentational styling intact. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A ### TESTING INSTRUCTIONS - `npx jest packages/superset-ui-core/src/utils/html.test.tsx` - New tests cover: allowed presentational properties are preserved, layout/positioning properties are stripped, and unsafe property values are removed. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
