From a842a9b23f31af5dff6ac95fa70777d5a351785b Mon Sep 17 00:00:00 2001
From: Maxime Beauchemin <maximebeauchemin@gmail.com>
Date: Wed, 7 Feb 2018 09:47:16 -0800
Subject: [PATCH] Remove dangerouslySetInnerHTML in StackTraceMessage component

Druid sometimes returns error message that are contained in "<>", as in
`<urlopen error [Errno 61] Connection refused>`. Since Superset's
approach is often to bubble up messages coming from external library,
it's impossible to predict whether it will contain special characters.

There are some cases where our error handling does return some html
(presto?),
but we should manage that upstream. Plus the current setup has security concerns,
so let's move away from that.
---
 .../assets/javascripts/components/StackTraceMessage.jsx  | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/superset/assets/javascripts/components/StackTraceMessage.jsx b/superset/assets/javascripts/components/StackTraceMessage.jsx
index a950c39c1730e..ee190b7c5c5f0 100644
--- a/superset/assets/javascripts/components/StackTraceMessage.jsx
+++ b/superset/assets/javascripts/components/StackTraceMessage.jsx
@@ -26,20 +26,13 @@ class StackTraceMessage extends React.PureComponent {
   }
 
   render() {
-    const msg = (
-      <div>
-        <p
-          dangerouslySetInnerHTML={{ __html: this.props.message }}
-        />
-      </div>);
-
     return (
       <div className={`stack-trace-container${this.hasTrace() ? ' has-trace' : ''}`}>
         <Alert
           bsStyle="warning"
           onClick={() => this.setState({ showStackTrace: !this.state.showStackTrace })}
         >
-          {msg}
+          {this.props.message}
         </Alert>
         {this.hasTrace() &&
           <Collapse in={this.state.showStackTrace}>