aminghadersohi commented on code in PR #38402:
URL: https://github.com/apache/superset/pull/38402#discussion_r2980534847
##########
superset/mcp_service/chart/schemas.py:
##########
@@ -590,6 +590,108 @@ class MixedTimeseriesChartConfig(BaseModel):
filters: List[FilterConfig] | None = None
+class HandlebarsChartConfig(BaseModel):
Review Comment:
Handlebars templates are rendered server-side by Superset's existing
HandlebarsRenderer which already applies its own sanitization. The MCP service
only constructs the chart configuration — it does not render templates
directly. The `max_length=50000` constraint on `handlebars_template` and
`max_length=10000` on `style_template` provide size bounds. Additional XSS
validation at the schema level would duplicate the rendering layer's
responsibility and could reject valid Handlebars syntax. The security boundary
is at the rendering layer, not the config schema.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
