Re: [PR] fix(nvd3): sanitize generateMultiLineTooltipContent output [superset]

Wed, 03 Jun 2026 03:48:10 -0700 


rusackas commented on code in PR #40612:
URL: https://github.com/apache/superset/pull/40612#discussion_r3347836281


##########
superset-frontend/plugins/legacy-preset-chart-nvd3/test/utils.test.ts:
##########
@@ -125,6 +125,56 @@ describe('nvd3/utils', () => {
     );
   });
 
+  describe('generateMultiLineTooltipContent()', () => {
+    const identity = (value: any) => value;
+
+    test('renders the series key in the tooltip markup', () => {
+      const tooltip = generateMultiLineTooltipContent(
+        {
+          value: 'x-value',
+          series: [{ key: 'Region A', color: '#fff', value: 1 }],
+        },
+        identity,
+        [identity],
+      );
+      expect(tooltip).toContain('Region A');
+    });
+
+    test('strips a script payload from a malicious series key', () => {
+      const tooltip = generateMultiLineTooltipContent(
+        {
+          value: 'x-value',
+          series: [
+            {
+              key: '<img src=x onerror="alert(1)">',
+              color: '#fff',
+              value: 1,
+            },
+          ],
+        },
+        identity,
+        [identity],
+      );
+      // DOMPurify removes the event handler that would execute on render.
+      expect(tooltip).not.toContain('onerror');
+      expect(tooltip).not.toContain('alert(1)');
+    });
+
+    test('removes script tags injected via the series key', () => {
+      const tooltip = generateMultiLineTooltipContent(
+        {
+          value: 'x-value',
+          series: [
+            { key: '<script>alert(1)</script>', color: '#fff', value: 1 },
+          ],
+        },
+        identity,
+        [identity],
+      );
+      expect(tooltip).not.toContain('<script>');
+    });

Review Comment:
   Good catch — consolidated. Removed the duplicate `<script>`-stripping test 
from the first describe block; the equivalent assertion is retained in the 
`generateMultiLineTooltipContent() sanitises user input` block, and the 
distinct `<img onerror>` payload test stays for separate coverage.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to