Fix so that ALLOW_SCRIPTS applies to text widgets #2438
Conversation
…PTS_IN_USER_INPUT` is set to True, trust the text as html
|
Thanks! But your change disabled Markdown rendering, so that's not optimal either. |
|
Noted, I'll put together a bigger fix that handles both scenarios |
|
👍 thanks! The issue was created by switching to another (more maintained/secure) markdown rendering library (named |
|
There are a couple issues on preserving HTML in the markdown issue queue: evilstreak/markdown-js#295 Both of those issues suggest the project is not maintained, and the previous maintainer seems to confirm that in evilstreak/markdown-js#266 |
|
Thanks for the info @sreynen. I don't mind replacing the lib, given the new one is of similar size. |
|
Hi, (This is a template message, but I mean every word of it. Also you're welcome to reply) Thank you for making this contribution. While we couldn't bring it to completion and merge, it's still very much appreciated. 🙇 In the past year the Redash code base gone under massive updates: on the backend we moved to Python 3 & RQ instead of Celery and on the frontend we replaced Angular with React. It's very likely this makes this PR irrelevant without significant changes. :-( I'm closing this PR now. But if you're still interested in making it happen, let me know and I will reopen. Thanks. |
When the env setting
REDASH_ALLOW_SCRIPTS_IN_USER_INPUTorALLOW_SCRIPTS_IN_USER_INPUTis set to True the text widgets take escaped HTML and "trust" it versus "trusting" the original text value.This negates the actual purpose of the env setting of allowing the user to put <script> tags or other valid html tags in the text block