Bug description

After upgrading from Superset 4.1.2 to 5.0 and now 6.0, my Handlebars-based custom charts stopped rendering HTML. The template output is being HTML-escaped by the frontend sanitizer (e.g.,

    ,
  • , quotes) so the chart shows raw text instead of rendered elements. In 4.1.2 this template rendered correctly.

    Steps to Reproduce

    1. Create a simple dataset.
    2. Add a Handlebars chart and set the template and CSS:
    <ul class="data-list">
  {{#each data}}
    <li>{{stringify this}}</li>
  {{/each}}
</ul>

    CSS: .data-list { background-color: yellow; } Expected Behavior

    The template should render valid HTML (a yellow list with

  • items) as it did in Superset 4.1.2.

    Actual Behavior

    In 5.0 and 6.0, the output appears escaped (e.g., <ul class="data-list"> ...) and is displayed as plain text. CSS is not applied because the markup never becomes DOM elements.

    Screenshots/recordings

    • Superset 4.1.2 (works): Handlebars output renders as a styled
        list (yellow background) with each row serialized into
      • items.

      Image

      • Superset 6.0 (broken): The same output is escaped and shown as a long text line with <ul>, <li>, and " entities; CSS has no effect.

      Image

      Superset version

      5.0.0

      Python version

      3.11

      Node version

      16

      Browser

      Chrome

      Additional context

      Install: pip in a Python venv

      Checklist

      • [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
      • [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
      • [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

      Comment From: dosubot[bot]

      Hi @alx25! I'm Dosu and I’m helping the superset team.

      This change is due to stricter frontend HTML sanitization introduced in Superset 5.0 and later. Handlebars chart output is now routed through the SafeMarkdown component, which escapes and sanitizes HTML by default using rehype-sanitize and rehype-raw. This prevents custom markup like <ul> and <li> from rendering as DOM elements, even if your template produces valid HTML. The sanitizer is enforced by global configuration and recent updates (see plugin-chart-handlebars changelog), so plugin-level overrides or disabling are no longer supported.

      Currently, there is no supported way to bypass this sanitizer or render raw HTML in Handlebars custom charts in Superset 5.0/6.0. This was done to improve security and prevent XSS vulnerabilities, but it does remove the ability to inject arbitrary markup in custom charts.

      To reply, just mention @dosu.

      How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X