rusackas opened a new pull request, #41298: URL: https://github.com/apache/superset/pull/41298
### SUMMARY `getOverrideHtmlSchema` passed the module-level `defaultSchema` import from `rehype-sanitize` as the first argument to lodash `mergeWith`, which mutates its first argument in place. Because the array customizer concatenates rather than replaces, the allowed tags/attributes/protocols arrays grew on each call — progressively widening the sanitization allowlist for every `SafeMarkdown` instance across the app, not just the one with overrides. This merges into a fresh `cloneDeep` of the schema so the shared singleton is never modified and repeated calls do not accumulate overrides. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — internal behavior. ### TESTING INSTRUCTIONS Tests added in `superset-frontend/packages/superset-ui-core/test/components/SafeMarkdown.test.tsx`: - The original schema passed in is not mutated. - The shared `defaultSchema` import is unchanged after calls, and repeated calls do not accumulate the override (arrays do not grow). Run: `cd superset-frontend && npm run test -- packages/superset-ui-core/test/components/SafeMarkdown.test.tsx` ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
