rusackas commented on PR #22604: URL: https://github.com/apache/superset/pull/22604#issuecomment-4780954063
@eng-cc this is a nice feature, but the codeant threads on `transformProps.ts:699` and `UrlLinkPopoverContent.tsx:88` are right to flag it: user URL templates flow straight to `href` with no scheme check, so `javascript:` payloads get rendered. I'll see about updating the protocol (allow http/https/mailto, reject the rest) before we go further. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
