superset-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From maximebeauche...@apache.org
Subject [incubator-superset] branch master updated: Safely passing data to d3.html (#4842)
Date Mon, 23 Apr 2018 04:00:39 GMT
This is an automated email from the ASF dual-hosted git repository.

maximebeauchemin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git


The following commit(s) were added to refs/heads/master by this push:
     new 370d8a2  Safely passing data to d3.html (#4842)
370d8a2 is described below

commit 370d8a2bbe9c57a869bd4fc9726402fddb3cdb54
Author: michellethomas <michelle.q.thomas@gmail.com>
AuthorDate: Sun Apr 22 21:00:37 2018 -0700

    Safely passing data to d3.html (#4842)
---
 superset/assets/src/visualizations/big_number.js | 3 ++-
 superset/assets/src/visualizations/nvd3_vis.js   | 3 ++-
 superset/assets/src/visualizations/table.js      | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/superset/assets/src/visualizations/big_number.js b/superset/assets/src/visualizations/big_number.js
index a45c1aa..54d87fa 100644
--- a/superset/assets/src/visualizations/big_number.js
+++ b/superset/assets/src/visualizations/big_number.js
@@ -1,5 +1,6 @@
 import d3 from 'd3';
 import d3tip from 'd3-tip';
+import dompurify from 'dompurify';
 import { d3FormatPreset, d3TimeFormatPreset } from '../modules/utils';
 
 import './big_number.css';
@@ -153,7 +154,7 @@ function bigNumberVis(slice, payload) {
 
     const renderTooltip = (d) => {
       const date = formatDate(d[0]);
-      const value = f(d[1]);
+      const value = dompurify.sanitize(f(d[1]));
       return `
         <div>
           <span style="margin-right: 10px;">${date}: </span>
diff --git a/superset/assets/src/visualizations/nvd3_vis.js b/superset/assets/src/visualizations/nvd3_vis.js
index 4a3faba..6a115f0 100644
--- a/superset/assets/src/visualizations/nvd3_vis.js
+++ b/superset/assets/src/visualizations/nvd3_vis.js
@@ -7,6 +7,7 @@ import 'nvd3/build/nv.d3.min.css';
 import mathjs from 'mathjs';
 import moment from 'moment';
 import d3tip from 'd3-tip';
+import dompurify from 'dompurify';
 
 import { getColorFromScheme } from '../modules/colors';
 import AnnotationTypes, {
@@ -448,7 +449,7 @@ export default function nvd3Vis(slice, payload) {
                     `style="border: 2px solid ${series.highlight ? 'black' : 'transparent'};
background-color: ${series.color};"` +
                   '></div>' +
                 '</td>' +
-                `<td>${series.key}</td>` +
+                `<td>${dompurify.sanitize(series.key)}</td>` +
                 `<td>${yAxisFormatter(series.value)}</td>` +
               '</tr>'
             );
diff --git a/superset/assets/src/visualizations/table.js b/superset/assets/src/visualizations/table.js
index c340f69..6b8deec 100644
--- a/superset/assets/src/visualizations/table.js
+++ b/superset/assets/src/visualizations/table.js
@@ -1,6 +1,7 @@
 import d3 from 'd3';
 import dt from 'datatables.net-bs';
 import 'datatables.net-bs/css/dataTables.bootstrap.css';
+import dompurify from 'dompurify';
 
 import { fixDataTableBodyHeight, d3TimeFormatPreset } from '../modules/utils';
 import './table.css';
@@ -87,7 +88,7 @@ function tableVis(slice, payload) {
         html = tsFormatter(val);
       }
       if (typeof (val) === 'string') {
-        html = `<span class="like-pre">${val}</span>`;
+        html = `<span class="like-pre">${dompurify.sanitize(val)}</span>`;
       }
       if (isMetric) {
         html = slice.d3format(c, val);

-- 
To stop receiving notification emails like this one, please contact
maximebeauchemin@apache.org.

Mime
View raw message