dosubot[bot] commented on issue #35182: URL: https://github.com/apache/superset/issues/35182#issuecomment-3305170167
<!-- Greeting --> Hi @alx25! I'm [Dosu](https://go.dosu.dev/dosubot) and Iām helping the superset team. <!-- Answer --> This change is due to stricter frontend HTML sanitization introduced in Superset 5.0 and later. Handlebars chart output is now routed through the SafeMarkdown component, which escapes and sanitizes HTML by default using rehype-sanitize and rehype-raw. This prevents custom markup like `<ul>` and `<li>` from rendering as DOM elements, even if your template produces valid HTML. The sanitizer is enforced by global configuration and recent updates (see [plugin-chart-handlebars changelog](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/plugins/plugin-chart-handlebars/CHANGELOG.md)), so plugin-level overrides or disabling are no longer supported. Currently, there is no supported way to bypass this sanitizer or render raw HTML in Handlebars custom charts in Superset 5.0/6.0. This was done to improve security and prevent XSS vulnerabilities, but it does remove the ability to inject arbitrary markup in custom charts. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/487ef066-cca9-4876-a3f3-46fb7cd5efb5?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/487ef066-cca9-4876-a3f3-46fb7cd5efb5?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/487ef066-cca9-4876-a3f3-46fb7cd5efb5?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/487ef066-cca9-4876-a3f3-46fb7cd5efb5?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/487ef066-cca9-4876-a3f3-46fb7cd5efb5?feedback_type=hallucination) | [Report š](https://app.dosu.dev/response-feedback/487ef066-cca9-4876-a3f3-46fb7cd5efb5?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/487ef066-cca9-4876-a3f3-46fb7cd5efb5?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/35182) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
