ashb commented on code in PR #54166:
URL: https://github.com/apache/airflow/pull/54166#discussion_r2262642502
##########
providers/standard/src/airflow/providers/standard/example_dags/example_hitl_operator.py:
##########
@@ -125,10 +125,11 @@ def notify(self, context: Context) -> None:
task_id="valid_input_and_options",
subject="Are the following input and options valid?",
body="""
- Input: {{
ti.xcom_pull(task_ids='wait_for_input')["params_input"]["information"] }}
- Option: {{ ti.xcom_pull(task_ids='wait_for_option')["chosen_options"]
}}
- Multiple Options: {{
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
- Timeout Option: {{
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
+**Collected Information**
+- Input: {{
ti.xcom_pull(task_ids='wait_for_input')["params_input"]["information"] }}
+- Option: {{ ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
+- Multiple Options: {{
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
+- Timeout Option: {{
ti.xcom_pull(task_ids='wait_for_option')["chosen_options"] }}
Review Comment:
This is still a risk - https://michelf.ca/blog/2010/markdown-and-xss/ and
https://github.com/jaydeepnasit/Markdown-XSS for just two examples of the
possible ways this might be exploited.
Just because _these_ examples are handled, how confident are you that all
the other possible ones are handled too?
We've had problems with CVEs and security vulnerabilities in example Dags
before, I'm really not sure this is worth the risk.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
