mirror of
https://github.com/apache/superset.git
synced 2026-07-12 01:35:36 +00:00
Resolves PR #39925 conflict against 68 master commits since the last rebase. Single conflict in `superset/models/dashboard.py::dashboard_link`: - HEAD (Slice 1, this branch): `url_for("Superset.dashboard", ...)` so Flask prepends SCRIPT_NAME and the row link works under subdirectory deployments. - master (#40404 area): `escape(self.url)` to defuse user-controlled slug HTML injection in the rendered FAB list-view anchor. Resolution combines both: keep `url_for` for the subdir-correct routing, wrap the result in `escape()` for HTML-attribute defence-in-depth. `url_for` already percent-encodes the slug path param (mitigating the XSS vector master targeted); the explicit `escape()` documents intent and survives any future change that adds query params/fragments. master also added `tests/unit_tests/models/dashboard_test.py` with two tests that instantiated `Dashboard` outside an application context. Adapted to use the `app_context` autouse fixture + a `current_app.test_request_context("/")` block so they exercise the `url_for`-based implementation. Semantic assertions preserved: the script-tag injection test still asserts no `<script>` or attribute breakout; the plain-slug test still asserts `/superset/dashboard/sales/` appears in the rendered href. All other touched files auto-merged cleanly (UPDATING.md, config.py, connectors/sqla/models.py, models/slice.py, views/utils.py, integration_tests/dashboards/api_tests.py, unit_tests/commands/report/execute_test.py). Notably slice.py's auto-merge correctly retained Slice 1's `slice_link` url_for refactor alongside master's new `icons` data-controlled HTML escape. SKIP=pylint applied for worktree-venv subshell baseline (pre-commit's pylint hook can't load the superset module without an activated venv; documented baseline across Slices 4-8). pylint verified independently against the changed files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>