aminghadersohi commented on PR #40343: URL: https://github.com/apache/superset/pull/40343#issuecomment-4566251008
Applied cross-PR feedback from Richard's thorough reviews on #40344 and #40348 — same patterns addressed here where applicable: 1. **LLM context sanitization** (#40344 pattern): Added `_sanitize_css_template_info_for_llm_context()` and `_sanitize_theme_info_for_llm_context()` wrapping all user-controlled string fields in `<UNTRUSTED-CONTENT>` delimiters before they reach the LLM context, matching the pattern used by dashboard and chart tools. Fields sanitized: `template_name`, `css`, `created_by_name`, `changed_by_name` (CSS template); `theme_name`, `json_data` values (theme). 2. **`columns_available` discoverability** (#40348 pattern): Richard flagged cases where `columns_available` advertised columns the serializer couldn't serve. For CSS templates the gap was reversed — `CssTemplateInfo` serves `created_by_name`/`changed_by_name` but they were excluded from `columns_available` via `USER_DIRECTORY_FIELDS`. Fixed by adding `CSS_TEMPLATE_EXTRA_COLUMNS` and relaxing `exclude_columns` in `get_css_template_columns()` for those two fields. Tests updated to assert `<UNTRUSTED-CONTENT>`-wrapped values for sanitized string fields. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
