fix(dashboard): Prevent XSS attack vector

[agl-developer]

SUMMARY

Improve security by filtering src attribute value.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A

TESTING INSTRUCTIONS

1. Create or edit an existing dashboard.
2. Add a markdown element
3. Add the following text inside the markdown editor <embed src="javascript:alert('hacked')">.
4. Click away and the added code will not show up because it did not pass the filter.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

Merging #21822 (3b66f59) into master (6f2e76b) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master   #21822   +/-   ##
=======================================
  Coverage   66.89%   66.89%           
=======================================
  Files        1805     1805           
  Lines       69071    69071           
  Branches     7369     7369           
=======================================
  Hits        46208    46208           
  Misses      20956    20956           
  Partials     1907     1907           

Flag	Coverage Δ
javascript	53.29% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...s/superset-ui-core/src/components/SafeMarkdown.tsx	66.66% <ø> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[stephenLYZ]

LGTM! Thanks for the fix. Also, it looks like the latest version is currently safe by default, which has no dangerouslySetInnerHTML or XSS attacks. It's a good idea to try to upgrade to the latest version in the future.

[michael-s-molina]

LGTM