Henry-Hong opened a new pull request, #4795: URL: https://github.com/apache/zeppelin/pull/4795
### What is this PR for? #### Description - Relate : https://github.com/apache/zeppelin/pull/3449 - Thanks to above PR, using Helium got much safer. But there're still remaning vulnerability issues with Hellium package. - If somebody makes malicious Hellium package, it can lead to serious consequences. #### Solution - `zeppelin-web` is dependent on `[email protected]` which supports escaping method `_.escape` - I applied `_.escape(vulnerable-text)` to vulnerable text. ### AS-IS   _You can see the HTML is not escaped and `<img>` tag has rendered_ ### TO-BE <img width="1728" alt="image" src="https://github.com/user-attachments/assets/8d217b66-5692-4186-a5c8-5bcc87460dc5";>  _HTML is escaped and `<`, `>` has converted into HTML Entity which is safer_ ### What type of PR is it? Hot Fix ### Todos * [x] - Escape HTML message before renders ### What is the Jira issue? - N/A ### How should this be tested? - N/A ### Screenshots (if appropriate) ### Questions: * Does the license files need to update? NO * Is there breaking changes for older versions? NO * Does this needs documentation? NO -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
