dosubot[bot] commented on issue #36779: URL: https://github.com/apache/superset/issues/36779#issuecomment-3678716021
<!-- Answer --> In Superset 6.0, HTML in tooltips (including those generated by the JavaScript tooltip generator) is escaped and sanitized for security reasons—this is to prevent XSS and other vulnerabilities. As a result, HTML tags like `<br/>` are shown as plain text instead of being rendered as line breaks or markup. This change was introduced to align with best practices and is enforced in both Handlebars custom charts and deck.gl tooltips ([source](https://github.com/apache/superset/issues/35182), [test code](https://github.com/apache/superset/blob/master/superset-frontend/packages/superset-ui-core/test/utils/tooltip.test.ts)). The sanitizer removes or escapes unsafe HTML (like `<script>` tags and event handlers) and only allows a very limited set of safe tags. There is currently no supported way to allow arbitrary HTML in deck.gl tooltips, even with JS tooltip generators, unless you modify the code or the sanitizer configuration. This is a deliberate security measure in recent Superset versions. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/44e95c28-9da1-4cc2-85de-c8d5b993a262?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/44e95c28-9da1-4cc2-85de-c8d5b993a262?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/44e95c28-9da1-4cc2-85de-c8d5b993a262?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/44e95c28-9da1-4cc2-85de-c8d5b993a262?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/44e95c28-9da1-4cc2-85de-c8d5b993a262?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/44e95c28-9da1-4cc2-85de-c8d5b993a262?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/44e95c28-9da1-4cc2-85de-c8d5b993a262?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=In%20Superset%206.0%2C%20HTML%20in%20tooltips%20%28including%20those%20generated%20by%20the%20JavaScript%20tooltip%20generator%29%20is%20escaped%20and%20sanitized%20for%20security%20reasons%E2%80%94this%20is%20to%20prevent%20XSS%20and%20other%20vulnerabilities.%20As%20a%20result%2C%20HTML%20tags%20like%20%60%3Cbr/%3E%60%20are%20shown%20as%20plain%20text%20instead%20of%20being%20rendered%20as%20line%20breaks%20or%20markup.%20This%20change%20was%20introduced%20to%20align%20with%20best%20practices%20and%20is%20enforced%20in%20both%20Handlebars%20custom%20charts%20and%20deck.gl%20tooltips%C2%A0%28%5Bsource%5D%28https%3A//github.com/apache/superset/issues/35182%29%2C%20%5Btest%20code%5D%28https%3A//github.com/apache/superset/blob/master/superset-fronten d/packages/superset-ui-core/test/utils/tooltip.test.ts%29%29.%0A%0AThe%20sanitizer%20removes%20or%20escapes%20unsafe%20HTML%20%28like%20%60%3Cscript%3E%60%20tags%20and%20event%20handlers%29%20and%20only%20allows%20a%20very%20limited%20set%20of%20safe%20tags.%20There%20is%20currently%20no%20supported%20way%20to%20allow%20arbitrary%20HTML%20in%20deck.gl%20tooltips%2C%20even%20with%20JS%20tooltip%20generators%2C%20unless%20you%20modify%20the%20code%20or%20the%20sanitizer%20configuration.%20This%20is%20a%20deliberate%20security%20measure%20in%20recent%20Superset%20versions.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/36779) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
