You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2021/01/07 20:11:28 UTC

[GitHub] [superset] ktmud edited a comment on pull request #12315: feat: provide config to insert html tags in every view

ktmud edited a comment on pull request #12315:
URL: https://github.com/apache/superset/pull/12315#issuecomment-756318188


   > I disagree with the concerns raised about security, a compromise of app.config is a full pwn in any way we slice it.
   
   Maybe I wasn't clear. It is true that a comprised `app.config` is very serious, but that only means attackers will have access to db credentials and access to datasources **Superset** can connect to---it doesn't mean attackers can access **other internal systems** via **any user's credentials** that are possibly behind an VPN. When you add the ability to write **arbitrary** content to the HTML page, it opens a whole new flood gate. I'll admit such attack is rare, but it doesn't seem worth the risk if we do have another feasible path for the business needs in question.
   
   > I don't think replacing a file before building the frontend will work for our use case given that we're relying on the render_template_string to populate a few values in the script (eg, current_user.id).
   
   You can easily add such info to the bootstrap data. In fact, in a full backend-frontend separated architecture, you would want to add that info to the bootstrap data.
   
   Finally, even if we want to implement this in Jinja template, we can also add a blank overridable template file and use Jinja's `include ignore missing`:
   
   ```jinja
   {%include "footer_extra.html" ignore missing %}
   ```
   
   This way you also get syntax highlighting for free.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org