DO NOT MERGE: test 4.1 release #29693
Draft
+365,152
−458,619
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…/superset-frontend (#28816) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…t to RTL syntax (#29380) Signed-off-by: hainenber <[email protected]> Co-authored-by: Michael S. Molina <[email protected]>
Signed-off-by: hainenber <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
#29433) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… 3.6.1 in /superset-frontend (#29435) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ocket (#29423) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ntend (#29439) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…cs (#29428) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…17.6 in /superset-frontend/plugins/plugin-chart-handlebars (#29425) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Evan Rusackas <[email protected]>
…/plugins/legacy-preset-chart-deckgl (#29426) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
/testenv up |
|
@sadpandajoe Ephemeral environment spinning up at http://54.184.232.53:8080. Credentials are |
(cherry picked from commit c22dfa1)
(cherry picked from commit c3702be)
…ift (#29725) Signed-off-by: hainenber <[email protected]> (cherry picked from commit 8891f04)
(cherry picked from commit 2bce20f)
(cherry picked from commit 0d62bb2)
(cherry picked from commit 27c08d0)
(cherry picked from commit 819597f)
(cherry picked from commit 6bc8567)
(cherry picked from commit d877d46)
(cherry picked from commit 052b38b)
(cherry picked from commit 0e165c1)
(cherry picked from commit ac3a10d)
) (cherry picked from commit 5820d31)
(cherry picked from commit 4d5f70c)
(cherry picked from commit 73768f6)
(cherry picked from commit de8282c)
Co-authored-by: Evan Rusackas <[email protected]> (cherry picked from commit df47994)
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| <img src={brand.icon} alt={brand.alt} /> | ||
| </GenericLink> | ||
| ) : ( | ||
| <a className="navbar-brand" href={brand.path}> | ||
| <a className="navbar-brand" href={brand.path} tabIndex={-1}> |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the problem, we need to ensure that the brand.path value is properly sanitized before being used in the href attribute. This can be achieved by using a library like DOMPurify to sanitize the URL. This will prevent any malicious content from being executed as part of the URL.
- Install the
DOMPurifylibrary. - Import
DOMPurifyin theMenu.tsxfile. - Sanitize the
brand.pathvalue before using it in thehrefattribute.
Suggested changeset
2
superset-frontend/src/features/home/Menu.tsx
| @@ -19,2 +19,3 @@ | ||
| import { useState, useEffect } from 'react'; | ||
| import DOMPurify from 'dompurify'; | ||
| import { styled, css, useTheme, SupersetTheme } from '@superset-ui/core'; | ||
| @@ -318,3 +319,3 @@ | ||
| ) : ( | ||
| <a className="navbar-brand" href={brand.path} tabIndex={-1}> | ||
| <a className="navbar-brand" href={DOMPurify.sanitize(brand.path)} tabIndex={-1}> | ||
| <img src={brand.icon} alt={brand.alt} /> |
superset-frontend/package.json
Outside changed files
| @@ -207,3 +207,4 @@ | ||
| "use-query-params": "^1.1.9", | ||
| "yargs": "^17.7.2" | ||
| "yargs": "^17.7.2", | ||
| "dompurify": "^3.2.1" | ||
| }, |
This fix introduces these dependencies
| Package | Version | Security advisories |
| dompurify (npm) | 3.2.1 | None |
Copilot is powered by AI and may make mistakes. Always verify output.
(cherry picked from commit f4c36a6)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION