etr2460 commented on a change in pull request #8398: [SIP-15] Adding initial
framework
URL:
https://github.com/apache/incubator-superset/pull/8398#discussion_r335723908
##########
File path: superset/assets/src/messageToasts/components/Toast.jsx
##########
@@ -96,7 +97,7 @@ class Toast extends React.Component {
toastType === DANGER_TOAST && 'toast--danger',
)}
>
- {text}
+ <div dangerouslySetInnerHTML={{ __html: dompurify.sanitize(text) }} />
Review comment:
we should really avoid dangerously setting html. Why not encode the URL in
another way and then pull it out of the string? I know this is just to make
`flash` work since it only accepts a string. But instead i'd send a flash
something like:
```
Preview then save your chart using the new time range endpoints
$$$SUPER_UNIQUE_TOKEN_FOR_ENCODING_LINK_FOR_HERE$$$http://superset.../
```
Then you could just do in a helper function:
```jsx
const parts =
str.split('$$$SUPER_UNIQUE_TOKEN_FOR_ENCODING_LINK_FOR_HERE$$$');
if (parts.length > 1) {
return <div>{parts.length[0]} <a href={parts.length[1]}>here</a>.</div>;
} else {
return <div>{parts.length[0]}</div>;
}
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
