rusackas opened a new pull request, #40641:
URL: https://github.com/apache/superset/pull/40641
### SUMMARY
In `superset/reports/notifications/email.py`, `_error_template()`
interpolated the report/alert error message directly into the HTML email body
**without sanitization**, while the normal content path runs `description` and
embedded data through `nh3.clean()`. The error text originates from exception
messages (`str(ex)`) that can embed data-controlled content — e.g. crafted
table/column names that surface in a database error — so HTML could be injected
into notification emails sent to all recipients.
This runs the error text through `nh3.clean(text, tags=set(),
attributes={})` (strip all tags — error text is plain text) before
interpolation, aligning it with the file's existing sanitization posture.
### TESTING INSTRUCTIONS
```
pytest tests/unit_tests/reports/notifications/email_tests.py
```
New test `test_error_template_sanitizes_html`: an error text containing
`<img onerror=…>` / `<script>` produces an email body with that markup stripped.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
