Re: [PR] fix(Context-Menu): Fixing Context Menu for Table Chart with Html Content [superset]

Wed, 13 Aug 2025 23:00:40 -0700 


korbit-ai[bot] commented on code in PR #33791:
URL: https://github.com/apache/superset/pull/33791#discussion_r2275567135


##########
superset-frontend/plugins/plugin-chart-table/src/TableChart.tsx:
##########
@@ -251,6 +253,13 @@ function SelectPageSize({
 const getNoResultsMessage = (filter: string) =>
   filter ? t('No matching records found') : t('No records found');
 
+const sanitizeHtmlValue = (value: DataRecordValue): DataRecordValue => {
+  if (typeof value === 'string' && isProbablyHTML(value)) {
+    return removeHTMLTags(value);
+  }

Review Comment:
   ### Insufficient HTML Sanitization <sub>![category 
Security](https://img.shields.io/badge/Security-e11d48)</sub>
   
   <details>
     <summary>Tell me more</summary>
   
   ###### What is the issue?
   The sanitization of HTML values relies on 'isProbablyHTML' for detection and 
'removeHTMLTags' for sanitization, which may be insufficient for preventing XSS 
attacks
   
   
   ###### Why this matters
   Without proper HTML sanitization, malicious users could potentially inject 
harmful scripts that execute in users' browsers when viewing table data
   
   ###### Suggested change ∙ *Feature Preview*
   Replace with a proven HTML sanitization library like DOMPurify:
   ```typescript
   import DOMPurify from 'dompurify';
   
   const sanitizeHtmlValue = (value: DataRecordValue): DataRecordValue => {
     if (typeof value === 'string') {
       return DOMPurify.sanitize(value);
     }
     return value;
   };
   ```
   
   
   ###### Provide feedback to improve future suggestions
   [![Nice 
Catch](https://img.shields.io/badge/👍%20Nice%20Catch-71BC78)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/a7ea64bb-a981-4e63-b97f-41a684775f05/upvote)
 
[![Incorrect](https://img.shields.io/badge/👎%20Incorrect-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/a7ea64bb-a981-4e63-b97f-41a684775f05?what_not_true=true)
  [![Not in 
Scope](https://img.shields.io/badge/👎%20Out%20of%20PR%20scope-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/a7ea64bb-a981-4e63-b97f-41a684775f05?what_out_of_scope=true)
 [![Not in coding 
standard](https://img.shields.io/badge/👎%20Not%20in%20our%20standards-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/a7ea64bb-a981-4e63-b97f-41a684775f05?what_not_in_standard=true)
 
[![Other](https://img.shields.io/badge/👎%20Other-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/a7ea64bb-a981-4e63-b97f-41a684775f05)
   </details>
   
   <sub>
   
   💬 Looking for more details? Reply to this comment to chat with Korbit.
   </sub>
   
   <!--- korbi internal id:fbd9b9d8-8d56-4859-8662-5f2f9dec2e1d -->
   
   
   [](fbd9b9d8-8d56-4859-8662-5f2f9dec2e1d)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to