* Switched yaml.load to yaml.safe_load to prevent code execution via crafted yaml files
Python's yaml.laod can lead to code execution via crafted yaml files such as:
```
code_exec: !!python/object/apply:subprocess.check_output ['ls']
```
* Fixed XSS via bleach
It was possible to get an XSS via the markdown library via simply setting a description containing arbitary HTML tags.
It was also possible to create links that went to the `javascript:` link handler (eg `[example](javascript:alert(0)`)
Using bleach to sanitize it solves both of these.
* Added XFO header by default to prevent clickjacking attacks
Note that with this application clickjacking can be relatively severe via the SQLLab functionality
which allows executing arbitary SQL.
* Added justification for dangerouslySetInnerHTML
* Fixed linting errors
* Fixed linting errors
Funky datatypes in some databases like BLOBs will have the DBAPI return
python types that can't be serialized to JSON out of the box.
Currently, when this happens SQL Lab fails in a bad way with a gigantic
HTML error message.
This allows specifying a pessimistic JSON serializer handler that will
simply show "Unserializable [type]"
* Feature: added datepicker and time granularity options to dashboard filter
* Added option for Druid datasource time filters
* added more checkbox control over dashboard time filters
parse_human_datetime parses date-only strings, e.g. "today", returning the correct date but time set at 9am. This is an internal implementation in parsedatetime. This patch resets to midnight. If time is specified and parsed, it is correctly returned.
* sql_lab.py: compress via utils
* utils.py: added zlib_compress and zlib_compress_to_string
* core.py: converted to use zlib_decompress_to_string; renamed uncompress to decompress in utils.py
* utils_tests.py: added test for compress/decompress
* fixed broken utils test; removed redundant code and empty lines from utils.py
* utils.py: corrected docstrings, removed unnecessary 'else'
* removed yet another superfluous else
on startup, FAB spits out a bunch of logging messages that aren't useful
in most cases. This shuts them down by default. They can be turned back
on with `config.SILENCE_FAB = True`
Also shushing a flask-cache warning around setting up a null (default) cache
* Simplifying the viz interface (#2005)
* Working on dashes
* Making this a collaborative branch
* Fixing some bugs
* Fixing bugs
* More improvements
* Add datasource back in bootstrap data
* Decent state
* Linting
* Moving forward
* Some more linting
* Fix the timer
* Triggering events through state
* Lingint
* Put filters in an array instead of flt strings (#2090)
* Put filters in an array instead of flt strings
* Remove query_filter(), put opChoices into Filter
* Update version_info.json
* Fix migrations
* More renderTrigger=true
* Fixing bugs
* Working on standalone
* getting standalone to work
* Fixed forcedHeight for standalone =view
* Linting
* Get save slice working in v2 (#2106)
* Filter bugfix
* Fixing empty series limit bug
* Fixed dashboard view
* Fixing short urls
* Only allow owners to overwrite slice (#2142)
* Raise exception when date range is wrong
* Only allow owner to overwrite a slice
* Fix tests for deprecate v1 (#2140)
* Fixed tests for control panels container and filters
* Fixed python tests for explorev2
* Fix linting errors
* Add in stop button during slice querying/rendering (#2121)
* Add in stop button during slice querying/rendering
* Abort ajax request on stop
* Adding missing legacy module
* Removing select2.sortable.js because of license
* Allow query to display while slice is loading (#2100)
* Allow query to display while slice is loading
* Put latestQueryFormData in store
* Reorganized query function, got rid of tu[le return values
* Merging migrations
* Wrapping up shortner migration
* Fixing tests
* Add folder creation to syncBackend
* Fixing edit URL in explore view
* Fix look of Stop button
* Adding syntax highlighting to query modal
* Fix cast_form_data and flase checkbox on dash
* Bugfix
* Going deeper
* Fix filtering
* Deleing invalid filters when changing datasource
* Minor adjustments
* Fixing calendar heatmap examples
* Moving edit datasource button to header's right side
* Fixing mapbox example
* Show stack trace when clicking alert
* Adding npm sync-backend command to build instruction
* Bumping up JS dependencies
* rm dep on select2
* Fix py3 urlparse
* rm superset-select2.js
* Improving migration scripts
* Bugfixes on staging
* Fixing Markup viz
* Rename rv => o in the decorator.
* Address comments.
* Permissions cleanup: remove none and duplicates. (#1967)
* Updates
* Rename var and dropdown text
* Cleanup
* Resolve comments.
* Add user to the perm check.
* Cleanup fulfilled requests after approve
* Modified tests
* Moved to separate test, add user to access functions
* Moved to separate test and added test cases
* Fixed issue with dryrun
* More changes based on comments
* Add per schema permissions.
* Address comments.
* Add schema_access perms to the alpha and admin
* Create permissions on addition databases and datasources.
* Remove hybrid_property. Linter complains.
* Change in files
* Renamin files and folders
* cleaning up a single piece of lint
* Removing boat picture from docs
* add superset word mark
* Update rename note in docs
* Fixing images
* Pinning datatables
* Fixing issues with mapbox-gl
* Forgot to rename one file
* Linting
* v0.13.0
* adding pyyaml to dev-reqs
