From 09772eeda0af4fefbbf8fcca2e77dcf800d43830 Mon Sep 17 00:00:00 2001
From: Quentin Leroy <qleroy@users.noreply.github.com>
Date: Wed, 15 Oct 2025 19:03:51 +0000
Subject: [PATCH] fix(config.py): reset HTML_SANITIZATION to True by default
 (#35603)

---
 superset/config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/superset/config.py b/superset/config.py
index 17075974055..a36d1699f8b 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -972,7 +972,7 @@ CORS_OPTIONS: dict[Any, Any] = {
 # Disabling this option is not recommended for security reasons. If you wish to allow
 # valid safe elements that are not included in the default sanitization schema, use the
 # HTML_SANITIZATION_SCHEMA_EXTENSIONS configuration.
-HTML_SANITIZATION = False
+HTML_SANITIZATION = True
 
 # Use this configuration to extend the HTML sanitization schema.
 # By default we use the GitHub schema defined in