dosubot[bot] commented on issue #31015: URL: https://github.com/apache/superset/issues/31015#issuecomment-2490609587
<!-- Answer --> I found a similar issue related to HTML rendering in Superset. The issue of improper input validation and sanitization, which can affect how HTML tags are handled, was discussed in [this closed issue](https://github.com/apache/superset/issues/28711). The suggested solution involved implementing a Content Security Policy (CSP) using the Talisman extension to mitigate XSS attacks by specifying valid sources for executable scripts. In your case, since you are trying to render the `<br>` tag in query results, you have already attempted to extend the HTML sanitization schema to include the `br` tag. However, it seems that the sanitization process might still be stripping it out. Here are a few things you can try: 1. **Verify HTML Sanitization Settings**: Ensure that your `HTML_SANITIZATION_SCHEMA_EXTENSIONS` is correctly configured to allow the `br` tag. It seems you have already done this, but double-checking might help. 2. **Frontend Configuration**: Check if the frontend configuration allows HTML rendering. The `ResultSet` component in Superset's frontend has a property `allowHTML` that controls HTML rendering in query results. This is set based on a local storage key `LocalStorageKeys.SqllabIsRenderHtmlEnabled`, which defaults to `true` <sup>[[1]](https://github.com/apache/superset/blob/master/superset-frontend/src/SqlLab/components/ResultSet/index.tsx)</sup>. 3. **Test HTML Rendering**: You can test if the HTML rendering is working by checking the `ResultSet` component's behavior. If the `allowHTML` flag is set to true, it should render HTML content. 4. **Review HTML Sanitization Tests**: Superset includes tests for HTML sanitization, such as `sanitizeHtml` and `sanitizeHtmlIfNeeded`, which ensure that HTML content is handled safely <sup>[[2]](https://github.com/apache/superset/blob/master/superset-frontend/packages/superset-ui-core/src/utils/html.test.tsx)</sup>. Reviewing these tests might provide insights into how HTML tags are processed. If these steps do not resolve the issue, it might be worth investigating further into the frontend code to ensure that the `allowHTML` setting is correctly applied and that no other configurations are overriding your settings. <!-- Dosu Comment Footer --> *To continue talking to [Dosu](https://dosu.dev), mention @dosu.* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
