Resolves PR #39925 conflict against 68 master commits since the last
rebase. Single conflict in `superset/models/dashboard.py::dashboard_link`:
- HEAD (Slice 1, this branch): `url_for("Superset.dashboard", ...)` so
Flask prepends SCRIPT_NAME and the row link works under subdirectory
deployments.
- master (#40404 area): `escape(self.url)` to defuse user-controlled
slug HTML injection in the rendered FAB list-view anchor.
Resolution combines both: keep `url_for` for the subdir-correct routing,
wrap the result in `escape()` for HTML-attribute defence-in-depth.
`url_for` already percent-encodes the slug path param (mitigating the
XSS vector master targeted); the explicit `escape()` documents intent
and survives any future change that adds query params/fragments.
master also added `tests/unit_tests/models/dashboard_test.py` with two
tests that instantiated `Dashboard` outside an application context.
Adapted to use the `app_context` autouse fixture + a
`current_app.test_request_context("/")` block so they exercise the
`url_for`-based implementation. Semantic assertions preserved: the
script-tag injection test still asserts no `<script>` or attribute
breakout; the plain-slug test still asserts `/superset/dashboard/sales/`
appears in the rendered href.
All other touched files auto-merged cleanly (UPDATING.md, config.py,
connectors/sqla/models.py, models/slice.py, views/utils.py,
integration_tests/dashboards/api_tests.py,
unit_tests/commands/report/execute_test.py). Notably slice.py's
auto-merge correctly retained Slice 1's `slice_link` url_for refactor
alongside master's new `icons` data-controlled HTML escape.
SKIP=pylint applied for worktree-venv subshell baseline (pre-commit's
pylint hook can't load the superset module without an activated venv;
documented baseline across Slices 4-8). pylint verified independently
against the changed files.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
After Superset.route_base="" (c531185d0a) and the FAB-link migration
(28b845ead4), `url_for` for the core blueprint emits `/dashboard/...`,
`/explore/...`, `/explore_json/...`, `/welcome/...` etc. (no `/superset/`
segment). Likewise the Tag component renders `/all_entities/?id=<id>`,
and rewritePermalinkOrigin substitutes window.location.origin into
backend permalinks at the frontend boundary.
Update test expectations to match:
* Python unit: tests/unit_tests/commands/report/execute_test.py drops
`superset/` from the 12 `dashboard/p/...` expected paths and the
`superset/dashboard/` membership check (kept assertion meaningful
via the existing `dashboard/p/` negative check).
* Python integration: drop `/superset/` from URLs hit by tests and
from URLs asserted against API payloads in core_tests, dashboard_tests,
dashboards/api_tests, event_logger_tests, log_api_tests, security_tests,
strategy_tests, utils_tests, reports/commands_tests,
reports/commands/execute_dashboard_report_tests. Fixed the regex in
test_new_dashboard to match the new Location header shape.
* Jest: ChartList tag-link assertion drops `/superset/`, and
URLShortLinkButton tests assert the rewritten URL
(`${window.location.origin}/123`) the component renders after
rewritePermalinkOrigin, instead of the raw backend `http://fakeurl.com/123`.
These were called out in PROJECT.md as the queued "integration test sweep
for old `/superset/<endpoint>/` shapes" — this commit closes that item.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>