rusackas opened a new pull request, #40639: URL: https://github.com/apache/superset/pull/40639
### SUMMARY Two model render helpers interpolated data-controlled values into HTML that is marked safe (`Markup`) or returned as raw HTML, without escaping: - **`Dashboard.dashboard_link()`** (`superset/models/dashboard.py`) embedded the user-controlled **slug** (via `self.url`) directly in an `href` attribute, escaping only the title. The REST API sanitizes slugs (`re.sub(r"[^\w\-]+", "", slug)`), but the **import path** (`ImportV1DashboardSchema`) does not, so a crafted import can persist a slug with markup — a stored-XSS sink in the FAB dashboard list view. Now escapes the URL too, matching the established `SqlaTable.link` pattern. - **`Slice.icons`** (`superset/models/slice.py`) interpolated the datasource name and edit URL into HTML attributes without escaping. Now escapes both (defense-in-depth; consistent with `Slice.slice_link`). ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/models/dashboard_test.py tests/unit_tests/models/slice_test.py ``` New tests: a slug containing `"><script>…` is escaped in `dashboard_link` (and a normal slug still renders); injected markup in the datasource name / edit URL is escaped in `Slice.icons`. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
