[PR] fix(mcp): remove html.escape to fix ampersand display in chart titles [superset]

Thu, 15 Jan 2026 16:50:16 -0800 


aminghadersohi opened a new pull request, #37186:
URL: https://github.com/apache/superset/pull/37186

   ## Summary
   
   Fixes a bug where ampersands (`&`) in MCP-generated chart titles display as 
`&` in the Superset UI.
   
   **Root Cause:** The `html.escape()` function was being applied to chart 
names, column names, column labels, filter column names, and filter values in 
the MCP chart schemas validation layer. This HTML encoding was unnecessary 
because:
   1. The data is stored in a database and returned via JSON API
   2. React handles its own escaping when rendering text content
   3. The existing XSS protections (blocking script tags, javascript: URLs, 
event handlers, SQL injection patterns) are sufficient
   
   **Changes:**
   - Removed `import html` from schemas.py
   - Removed `html.escape()` calls from 5 sanitization validators:
     - `ColumnRef.sanitize_name()` - column names
     - `ColumnRef.sanitize_label()` - column labels
     - `FilterConfig.sanitize_column()` - filter column names
     - `FilterConfig.sanitize_value()` - filter values
     - `UpdateChartRequest.sanitize_chart_name()` - chart names
   
   ## BEFORE/AFTER
   
   **Before:** Creating a chart with title "A & B" via MCP `generate_chart` 
tool shows "A & B" in the UI
   
   **After:** Creating a chart with title "A & B" displays correctly as "A & B"
   
   ## TESTING INSTRUCTIONS
   
   1. Use MCP `generate_chart` tool to create a chart with a title containing 
`&`
   2. Verify the title displays correctly in Superset UI without HTML encoding
   
   ## ADDITIONAL INFORMATION
   
   - [ ] Has associated issue: N/A - simple bug fix
   - [ ] Required feature flags: None
   - [ ] Changes UI: No
   - [ ] Includes DB Migration: No
   - [ ] Changes API: No
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to