Replies: 2 comments 1 reply
-
This is still the case. The feature allows a user to input arbitrary javascript, which has numerous security implications. There's a bit of JS sandboxing going on, but IIRC the documentation for the sandboxing packages/methodology also say it can't quite be trusted. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I'm interested in enabling the feature
ENABLE_JAVASCRIPT_CONTROLS
to use custom tooltips like this. But there's a comment above that flag's line in config.py, "This exposes an XSS security vulnerability."Is that still the case? I see that original warning was written in Feb 2018 and Superset's version of the xss package was recently updated to address security concerns. I'd like to know if anything has changed since the 2018 warning - it's an area I know little about.
Beta Was this translation helpful? Give feedback.
All reactions