martyngigg commented on code in PR #30134:
URL: https://github.com/apache/superset/pull/30134#discussion_r1930224223
##########
superset-frontend/src/utils/getBootstrapData.ts:
##########
@@ -25,3 +26,17 @@ export default function getBootstrapData(): BootstrapData {
const dataBootstrap = appContainer?.getAttribute('data-bootstrap');
return dataBootstrap ? JSON.parse(dataBootstrap) : DEFAULT_BOOTSTRAP_DATA;
}
+
+// eslint-disable-next-line import/no-mutable-exports
+const APPLICATION_ROOT_NO_TRAILING_SLASH =
+ getBootstrapData().common.application_root.replace(/\/$/, '');
+
+/**
+ * @param dom_sanitize If true, run the application root through dompurify
before returning
+ * @returns The configured application root
+ */
+export function applicationRoot(dom_sanitize = false): string {
+ return dom_sanitize
+ ? DOMPurify.sanitize(APPLICATION_ROOT_NO_TRAILING_SLASH)
Review Comment:
Looking at the changed files in #31996 it seems like there are existing
check annotations mentioning the same security warning in several other places,
e.g.
[GenericLink](https://github.com/apache/superset/pull/31996/files#diff-652975a3a5f9c68f1ba3fd9ee7a49068a35f124dd52ef33d34c8c0d7498c01b8).
Would it be worth simplifying the code here to remove the sanitization and
those issues be addressed elsewhere?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
