rusackas commented on PR #40640: URL: https://github.com/apache/superset/pull/40640#issuecomment-4661933215
@aminghadersohi thanks for the thorough scan — addressed all of it: - **MEDIUM (validate_css escape expansion):** added a docstring note that CSS escape sequences (e.g. `\6a avascript:`) are not expanded before matching, so the validator is a first-line filter and not a complete XSS sanitiser. - **MEDIUM (`del serialized[...]`):** switched the guest-user `owners`/`database` removals to `serialized.pop(..., None)` so they match the field-stripping pattern right below and no longer risk a `KeyError`. - **NIT (frozenset):** `ALLOWED_URL_SCHEMES` is now a `frozenset`. - **NIT (`//evil.com`):** added the scheme-relative case to `test_chart_external_url_rejects_non_absolute`. - **NIT (DashboardCopySchema):** added `test_dashboard_copy_css_rejects_dangerous_constructs` so the Copy schema CSS wiring is covered too. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
