GitHub user Moosheimer added a comment to the discussion: Superset V6.0 - Table chart now longer shows bold text with HTML <b> tag in columns
@dosu Replacing <b> with <span style="font-weight:bold"> doesn't always work. I have an example where it doesn't work - even though it works as a Postgres query, it doesn't work with Superset. But that's not even the problem. The real problem is that we use tables/chart extensively and would have to parse every single query and replace all <b> and <li>. And that for every query?! And then it doesn't work everywhere (see above). Are <b> and <li> really an XSS insecurity issue? I suggest planning an extension for the next release where you can either completely disable all SANITIZATION or at least whitelist the ones that are needed. Our application runs on the intranet and therefore does not need to be explicitly secured. I don't think we're the only ones encountering this problem (at least so far). Security is extremely important. But aren't we going too far with this strict regulation that can't be disabled? Can't we leave it up to the user to decide whether to disable this strict setting at all? Or at least give them the option to whitelist all desired tags across the board? GitHub link: https://github.com/apache/superset/discussions/36799#discussioncomment-15327320 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
