Bug description
After upgrading from 5.0.0rc3 to 5.0.0, I noticed that all custom styles—including inline styles and whitespace between numbers—are missing from tooltips. This appears to be a side effect of the new XSS filter implementation (PR #33765).
Steps to reproduce:
Upgrade Superset from 5.0.0rc3 to 5.0.0
Hover over any chart to display the tooltip
Observe that all inline styles (such as padding and alignment) and whitespace between values are missing
Expected behavior:
Tooltip should retain all intended styles and spacing as in previous versions
Actual behavior:
Tooltip loses all custom styles and whitespace, making the content hard to read
Possible cause:
The new XSS filter may be stripping style attributes and collapsing/removing whitespace or delimiters between tooltip values.
Question:
What is the recommended way to restore tooltip formatting and spacing under the new XSS filter rules?
Screenshots/recordings
No response
Superset version
5.0.0
Python version
3.11
Node version
20
Browser
Chrome
Additional context
No response
Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
Hi @julianpark90! I'm Dosu and I’m helping the superset team.
The regression is caused by the stricter frontend XSS filter introduced in PR #33765, which now sanitizes tooltip HTML and strips inline styles and whitespace—especially for table elements like <td> and <tr>. This filter is configured in superset-frontend/packages/superset-ui-core/src/utils/html.tsx and is global and hardcoded; there’s no user-facing or runtime way to adjust it.
To restore tooltip formatting, you would need to modify the whitelist in that file to explicitly allow the style attribute on the relevant tags (for example, add 'style' to <td>, <tr>, and <table> in the whitelist), and consider setting css: true if you want to permit inline CSS. Be aware that relaxing these restrictions can increase XSS risk, so only allow the minimum necessary styles and test thoroughly for security.
Backend settings like HTML_SANITIZATION_SCHEMA_EXTENSIONS in config.py do not affect frontend tooltips. There’s currently no official documentation or support thread addressing this regression or providing a workaround, so any fix will require a code change in the frontend sanitizer logic.
Reference: html.tsx XSS filter implementation
To reply, just mention @dosu.
How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other 
