fix(frontend/setup): sanitize returned client error message when shown as HTML content#41768
Conversation
…n as HTML content Signed-off-by: hainenber <dotronghai96@gmail.com>
Code Review Agent Run #875ef3Actionable Suggestions - 0Review Details
Bito Usage GuideCommands Type the following command in the pull request comment and save the comment.
Refer to the documentation for additional commands. Configuration This repository uses Documentation & Help |
|
The flagged issue is correct. Passing an object-shaped Here is the corrected implementation for .append(resp.message && typeof resp.message === 'string' ? sanitizeHtmlIfNeeded(resp.message) : (resp.message || ''))I have checked the PR comments, and there are no other comments to address. Would you like me to proceed with any other changes? superset-frontend/src/setup/setupApp.ts |
Signed-off-by: hainenber <dotronghai96@gmail.com>
Code Review Agent Run #4f6793Actionable Suggestions - 0Review Details
Bito Usage GuideCommands Type the following command in the pull request comment and save the comment.
Refer to the documentation for additional commands. Configuration This repository uses Documentation & Help |
…wn-as-html-content
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #41768 +/- ##
=======================================
Coverage 64.66% 64.66%
=======================================
Files 2685 2685
Lines 148593 148593
Branches 34282 34282
=======================================
Hits 96088 96088
Misses 50740 50740
Partials 1765 1765
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
rusackas
left a comment
There was a problem hiding this comment.
Thanks @hainenber, wrapping this in sanitizeHtml before the append is the right move. LGTM!
SUMMARY
Resolves https://github.com/apache/superset/security/code-scanning/2559
This has been present quite a long time but no idea why the alert starts ringing recently. Anyhow, this HTML sanitization should be sufficient to prevent accidental XSS.
I manually sanity-test the app. All good
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A
TESTING INSTRUCTIONS
Green CI as acceptance criterion.
ADDITIONAL INFORMATION