GitHub user dosubot[bot] added a comment to the discussion: Superset V6.0 - Table chart now longer shows bold text with HTML <b> tag in columns
<!-- Answer --> For Superset, describing how you would mitigate risks if sanitization were relaxed is important—especially for security-related features—because the project follows a security-first approach aligned with Apache Foundation guidelines. Even if a feature is opt-in, maintainers want to understand the risks and how users would be protected if the feature is enabled, since any change could impact the broader community and future maintainers. Including your risk mitigation plan in a feature suggestion increases the chance it will be considered seriously. To safely modify the frontend whitelist and allow tags like `<b>` or `<li>`, edit `superset-frontend/packages/superset-ui-core/src/utils/html.tsx`. In the `whiteList` object, add your desired tags and allowed attributes, for example: ```js b: [], li: ['class', 'style'], ``` After editing, rebuild the frontend: ```bash cd superset-frontend npm run plugins:build npm run build-dev ``` Clear your browser cache and reload Superset to see the changes. Note: this change affects all users and increases XSS risk, so only do this in trusted environments and test thoroughly. [Reference](https://github.com/apache/superset/issues/34191) For a feature suggestion, explain your use case (e.g., trusted intranet, pre-tagged data), why current options are insufficient, and how you would mitigate risks (e.g., restrict to admin users, add warnings, document the risks). Here’s a template you can adapt: ``` **Title:** Make HTML sanitization whitelist user-configurable (opt-in) **Problem:** Superset’s strict frontend HTML sanitization prevents rendering of safe tags like `<b>` and `<li>`, even in trusted environments. This blocks important formatting for pre-tagged data. **Proposed Solution:** Add a user-configurable option (e.g., in superset_config.py or UI) to extend or override the frontend sanitizer whitelist, with clear warnings and opt-in gating. **Risk Mitigation:** - Restrict to admin users or trusted deployments - Add prominent warnings in the UI/config - Document XSS risks and best practices **Use Case:** We run Superset on a secured intranet with trusted data sources and need to render existing HTML formatting in tables/charts. **Alternatives tried:** Backend config, data preprocessing, and Markdown components—all insufficient for our needs. ``` Let me know if you want more details on any step or best practices for testing these changes. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/cf1e0208-3275-4a9f-a234-b2139bbc7c84?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/cf1e0208-3275-4a9f-a234-b2139bbc7c84?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/cf1e0208-3275-4a9f-a234-b2139bbc7c84?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/cf1e0208-3275-4a9f-a234-b2139bbc7c84?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/cf1e0208-3275-4a9f-a234-b2139bbc7c84?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/cf1e0208-3275-4a9f-a234-b2139bbc7c84?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/cf1e0208-3275-4a9f-a234-b2139bbc7c84?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=For%20Superset%2C%20describing%20how%20you%20would%20mitigate%20risks%20if%20sanitization%20were%20relaxed%20is%20important%E2%80%94especially%20for%20security-related%20features%E2%80%94because%20the%20project%20follows%20a%20security-first%20approach%20aligned%20with%20Apache%20Foundation%20guidelines.%20Even%20if%20a%20feature%20is%20opt-in%2C%20maintainers%20want%20to%20understand%20the%20risks%20and%20how%20users%20would%20be%20protected%20if%20the%20feature%20is%20enabled%2C%20since%20any%20change%20could%20impact%20the%20broader%20community%20and%20future%20maintainers.%20Including%20your%20risk%20mitigation%20plan%20in%20a%20feature%20suggestion%20increases%20the%20chance%20it%20will%20be%20considered%20seriously.%0A%0ATo%20safely%20modify%20t he%20frontend%20whitelist%20and%20allow%20tags%20like%20%60%3Cb%3E%60%20or%20%60%3Cli%3E%60%2C%20edit%20%60superset-frontend/packages/superset-ui-core/src/utils/html.tsx%60.%20In%20the%20%60whiteList%60%20object%2C%20add%20your%20desired%20tags%20and%20allowed%20attributes%2C%20for%20example%3A%0A%60%60%60js%0Ab%3A%20%5B%5D%2C%0Ali%3A%20%5B%27class%27%2C%20%27style%27%5D%2C%0A%60%60%60%0AAfter%20editing%2C%20rebuild%20the%20frontend%3A%0A%60%60%60bash%0Acd%20superset-frontend%0Anpm%20run%20plugins%3Abuild%0Anpm%20run%20build-dev%0A%60%60%60%0AClear%20your%20browser%20cache%20and%20reload%20Superset%20to%20see%20the%20changes.%20Note%3A%20this%20change%20affects%20all%20users%20and%20increases%20XSS%20risk%2C%20so%20only%20do%20this%20in%20trusted%20environments%20and%20test%20thoroughly.%20%5BReference%5D%28https%3A//github.com/apache/superset/issues/34191%29%0A%0AFor%20a%20feature%20suggestion%2C%20explain%20your%20use%20case%20%28e.g.%2C%20trusted%20intranet%2C%20pre-tagged%20data %29%2C%20why%20current%20options%20are%20insufficient%2C%20and%20how%20you%20would%20mitigate%20risks%20%28e.g.%2C%20restrict%20to%20admin%20users%2C%20add%20warnings%2C%20document%20the%20risks%29.%20Here%E2%80%99s%20a%20template%20you%20can%20adapt%3A%0A%0A%60%60%60%0A%2A%2ATitle%3A%2A%2A%20Make%20HTML%20sanitization%20whitelist%20user-configurable%20%28opt-in%29%0A%0A%2A%2AProblem%3A%2A%2A%20%20%0ASuperset%E2%80%99s%20strict%20frontend%20HTML%20sanitization%20prevents%20rendering%20of%20safe%20tags%20like%20%60%3Cb%3E%60%20and%20%60%3Cli%3E%60%2C%20even%20in%20trusted%20environments.%20This%20blocks%20important%20formatting%20for%20pre-tagged%20data.%0A%0A%2A%2AProposed%20Solution%3A%2A%2A%20%20%0AAdd%20a%20user-configurable%20option%20%28e.g.%2C%20in%20superset_config.py%20or%20UI%29%20to%20extend%20or%20override%20the%20frontend%20sanitizer%20whitelist%2C%20with%20clear%20warnings%20and%20opt-in%20gating.%0A%0A%2A%2ARisk%20Mitigation%3A%2A%2A%20%20%0A-%20Restrict%20to%20admin%2 0users%20or%20trusted%20deployments%0A-%20Add%20prominent%20warnings%20in%20the%20UI/config%0A-%20Document%20XSS%20risks%20and%20best%20practices%0A%0A%2A%2AUse%20Case%3A%2A%2A%20%20%0AWe%20run%20Superset%20on%20a%20secured%20intranet%20with%20trusted%20data%20sources%20and%20need%20to%20render%20existing%20HTML%20formatting%20in%20tables/charts.%0A%0A%2A%2AAlternatives%20tried%3A%2A%2A%20%20%0ABackend%20config%2C%20data%20preprocessing%2C%20and%20Markdown%20components%E2%80%94all%20insufficient%20for%20our%20needs.%0A%60%60%60%0A%0ALet%20me%20know%20if%20you%20want%20more%20details%20on%20any%20step%20or%20best%20practices%20for%20testing%20these%20changes.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/di scussions/36799) GitHub link: https://github.com/apache/superset/discussions/36799#discussioncomment-15327580 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
