Merge pull request apache#43 from michellethomas/cherrypick_clean_htm…

…l_data Safely passing data to d3.html
michellethomas · May 9, 2018 · 75d57a3 · 75d57a3
2 parents 3b233fb + d05842f
commit 75d57a3
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/superset/assets/visualizations/big_number.js b/superset/assets/visualizations/big_number.js
@@ -1,5 +1,6 @@
 import d3 from 'd3';
 import d3tip from 'd3-tip';
+import dompurify from 'dompurify';
 import { d3FormatPreset, d3TimeFormatPreset } from '../javascripts/modules/utils';
 
 import './big_number.css';
@@ -153,7 +154,7 @@ function bigNumberVis(slice, payload) {
 
     const renderTooltip = (d) => {
       const date = formatDate(d[0]);
-      const value = f(d[1]);
+      const value = dompurify.sanitize(f(d[1]));
       return `
         <div>
           <span style="margin-right: 10px;">${date}: </span>

diff --git a/superset/assets/visualizations/nvd3_vis.js b/superset/assets/visualizations/nvd3_vis.js
@@ -6,6 +6,7 @@ import nv from 'nvd3';
 import mathjs from 'mathjs';
 import moment from 'moment';
 import d3tip from 'd3-tip';
+import dompurify from 'dompurify';
 
 import { getColorFromScheme } from '../javascripts/modules/colors';
 import AnnotationTypes, {
@@ -420,7 +421,7 @@ function nvd3Vis(slice, payload) {
                     `style="border: 2px solid ${series.highlight ? 'black' : 'transparent'}; background-color: ${series.color};"` +
                   '></div>' +
                 '</td>' +
-                `<td>${series.key}</td>` +
+                `<td>${dompurify.sanitize(series.key)}</td>` +
                 `<td>${yAxisFormatter(series.value)}</td>` +
               '</tr>'
             );

diff --git a/superset/assets/visualizations/table.js b/superset/assets/visualizations/table.js
@@ -1,6 +1,7 @@
 import d3 from 'd3';
 import dt from 'datatables.net-bs';
 import 'datatables.net-bs/css/dataTables.bootstrap.css';
+import dompurify from 'dompurify';
 
 import { fixDataTableBodyHeight, d3TimeFormatPreset } from '../javascripts/modules/utils';
 import './table.css';
@@ -81,7 +82,7 @@ function tableVis(slice, payload) {
         html = tsFormatter(val);
       }
       if (typeof (val) === 'string') {
-        html = `<span class="like-pre">${val}</span>`;
+        html = `<span class="like-pre">${dompurify.sanitize(val)}</span>`;
       }
       if (isMetric) {
         html = slice.d3format(c, val);