mirror of
https://github.com/apache/superset.git
synced 2026-04-16 22:55:52 +00:00
4ff17ffc8d
* Switched yaml.load to yaml.safe_load to prevent code execution via crafted yaml files Python's yaml.laod can lead to code execution via crafted yaml files such as: ``` code_exec: !!python/object/apply:subprocess.check_output ['ls'] ``` * Fixed XSS via bleach It was possible to get an XSS via the markdown library via simply setting a description containing arbitary HTML tags. It was also possible to create links that went to the `javascript:` link handler (eg `[example](javascript:alert(0)`) Using bleach to sanitize it solves both of these. * Added XFO header by default to prevent clickjacking attacks Note that with this application clickjacking can be relatively severe via the SQLLab functionality which allows executing arbitary SQL. * Added justification for dangerouslySetInnerHTML * Fixed linting errors * Fixed linting errors
2.8 KiB
2.8 KiB