Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleaning html tags from text #4842

Merged
merged 1 commit into from
Apr 23, 2018
Merged

Cleaning html tags from text #4842

merged 1 commit into from
Apr 23, 2018

Conversation

michellethomas
Copy link
Contributor

There are a few cases where we are using d3.html() which intentionally doesn't escape html. In these cases if a user has data with html tags we are not escaping it so some js can be executed. For example if a group by column in a table has an html tag with an onerror, the onerror will get executed in the browser when the table renders.

Initially I tried to do this in some central place so that we didn't have to go into individual files in /visualizations but when looking into it more, it seems to happen when we are using d3.html(). Let me know if there's a better way to do this. I may have missed a few cases, mainly trying to quickly get a fix out for the most used visualizations.

@mistercrunch @graceguo-supercat

@codecov-io
Copy link

codecov-io commented Apr 18, 2018
edited
Loading

Codecov Report

Merging #4842 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #4842   +/-   ##
=======================================
  Coverage   76.96%   76.96%           
=======================================
  Files          44       44           
  Lines        8534     8534           
=======================================
  Hits         6568     6568           
  Misses       1966     1966

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e88b0b6...136580a. Read the comment docs.

@mistercrunch
Copy link
Member

LGMT

@mistercrunch mistercrunch merged commit 370d8a2 into apache:master Apr 23, 2018
@michellethomas michellethomas deleted the scrub_html_data branch April 24, 2018 18:41
michellethomas added a commit to michellethomas/panoramix that referenced this pull request May 24, 2018
@michellethomas
Safely passing data to d3.html (apache#4842)
426d5a9
timifasubaa pushed a commit to timifasubaa/incubator-superset that referenced this pull request May 31, 2018
@michellethomas @timifasubaa
Safely passing data to d3.html (apache#4842)
78bcd68
wenchma pushed a commit to wenchma/incubator-superset that referenced this pull request Nov 16, 2018
@michellethomas @mistercrunch
Safely passing data to d3.html (apache#4842)
5205c1f
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.25.0 labels Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.25.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@michellethomas @codecov-io @mistercrunch