codeant-ai-for-open-source[bot] commented on code in PR #41768:
URL: https://github.com/apache/superset/pull/41768#discussion_r3522827539
##########
superset-frontend/src/setup/setupApp.ts:
##########
@@ -41,7 +42,7 @@ function showApiMessage(resp: ClientErrorObject) {
const severity = resp.severity || 'info';
$(template)
.addClass(`alert-${severity}`)
- .append(resp.message || '')
+ .append(resp.message ? sanitizeHtmlIfNeeded(resp.message) : '')
Review Comment:
**Suggestion:** `resp.message` is assumed to be a string, but
`getClientErrorObject` can produce object-shaped `message` values (for
validation errors). Passing a non-string into `sanitizeHtmlIfNeeded` will throw
at runtime when it calls string methods, so this alert path can crash instead
of showing the error. Guard with a string type check (or use a safe fallback
such as `resp.error`) before sanitizing. [type error]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
❌ Checkbox error alerts crash on Marshmallow validation responses.
⚠️ Global setup script may stop handling future events.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. The SPA entrypoint `superset-frontend/src/views/App.tsx:12` calls
`setupApp()` from
`src/setup/setupApp.ts`, which registers the checkbox change handler and
error alert
logic.
2. In `superset-frontend/src/setup/setupApp.ts:49-55`, `toggleCheckbox()`
issues a
`SupersetClient.get` and on failure calls
`getClientErrorObject(response).then(parsedResp
=> { ... })`.
3. When the backend returns a Marshmallow-style validation error JSON with an
object-shaped `message` field (documented in
`superset-frontend/packages/superset-ui-core/src/query/getClientErrorObject.ts:129-135`),
`parseErrorJson()` leaves `error.message` as an object while deriving
`error.error`, and
returns this as `ClientErrorObject`.
4. In the `catch` handler at `setupApp.ts:55-59`, `parsedResp?.message` is
truthy so
`showApiMessage(parsedResp)` is called; inside `showApiMessage` at
`setupApp.ts:37-45`,
`resp.message` (an object) is passed to `sanitizeHtmlIfNeeded`, which in
turn calls
`isProbablyHTML(text)` at
`packages/superset-ui-core/src/utils/html.tsx:69-71`. That
function executes `text.trim()`, causing `TypeError: text.trim is not a
function` at
runtime, crashing the alert path and potentially breaking subsequent
frontend behavior.
```
</details>
[](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=45d8f4ad9057449cbfc5bcce0a9b7094&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
[](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=45d8f4ad9057449cbfc5bcce0a9b7094&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset-frontend/src/setup/setupApp.ts
**Line:** 45:45
**Comment:**
*Type Error: `resp.message` is assumed to be a string, but
`getClientErrorObject` can produce object-shaped `message` values (for
validation errors). Passing a non-string into `sanitizeHtmlIfNeeded` will throw
at runtime when it calls string methods, so this alert path can crash instead
of showing the error. Guard with a string type check (or use a safe fallback
such as `resp.error`) before sanitizing.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F41768&comment_hash=0e536f6dbc9dc6af5cef6fb75854e562b48424fd981298fab61c9e7cab83b8eb&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F41768&comment_hash=0e536f6dbc9dc6af5cef6fb75854e562b48424fd981298fab61c9e7cab83b8eb&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]