fix(dashboard): Prevent XSS attack vector (#21822)

Co-authored-by: Herbert Gainor <herbert.gainor@preset.io>
2022-10-19 06:54:20 -06:00 · 2022-10-19 06:54:20 -06:00 · ec20c0104e
parent 7c4102c20e
commit ec20c0104e
1 changed files with 1 additions and 1 deletions
--- a/superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown.tsx
@ -30,7 +30,7 @@ interface SafeMarkdownProps {

 function isSafeMarkup(node: MarkdownAbstractSyntaxTree) {
  return node.type === 'html' && node.value
-    ? /href="(javascript|vbscript|file):.*"/gim.test(node.value) === false
+    ? !/(href|src)="(javascript|vbscript|file):.*"/gim.test(node.value)
    : true;
 }