dosubot[bot] commented on issue #33865: URL: https://github.com/apache/superset/issues/33865#issuecomment-2996537545
<!-- Greeting --> Hi @julianpark90! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> The regression is caused by the stricter frontend XSS filter introduced in PR #33765, which now sanitizes tooltip HTML and strips inline styles and whitespace—especially for table elements like `<td>` and `<tr>`. This filter is configured in `superset-frontend/packages/superset-ui-core/src/utils/html.tsx` and is global and hardcoded; there’s no user-facing or runtime way to adjust it. To restore tooltip formatting, you would need to modify the whitelist in that file to explicitly allow the `style` attribute on the relevant tags (for example, add `'style'` to `<td>`, `<tr>`, and `<table>` in the whitelist), and consider setting `css: true` if you want to permit inline CSS. Be aware that relaxing these restrictions can increase XSS risk, so only allow the minimum necessary styles and test thoroughly for security. Backend settings like `HTML_SANITIZATION_SCHEMA_EXTENSIONS` in `config.py` do not affect frontend tooltips. There’s currently no official documentation or support thread addressing this regression or providing a workaround, so any fix will require a code change in the frontend sanitizer logic. [Reference: html.tsx XSS filter implementation](https://github.com/apache/superset/blob/8dd39502f6621045b328cbad5f18fd9b9211e2e1/superset-frontend/packages/superset-ui-core/src/utils/html.tsx) <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/85250915-6eb2-49fc-b2a0-34b0ef20c764?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/85250915-6eb2-49fc-b2a0-34b0ef20c764?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/85250915-6eb2-49fc-b2a0-34b0ef20c764?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/85250915-6eb2-49fc-b2a0-34b0ef20c764?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/85250915-6eb2-49fc-b2a0-34b0ef20c764?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/85250915-6eb2-49fc-b2a0-34b0ef20c764?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/85250915-6eb2-49fc-b2a0-34b0ef20c764?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [! [Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/33865) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
