Bug description

Since #34276 , HTML_SANITIZATION=False in superset/config.py, Is it intended ?

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

  • [ ] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [ ] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

The default value for HTML_SANITIZATION in superset/config.py is still True—not False—and disabling it is not recommended for security reasons, as it helps prevent XSS attacks. PR #34276 did not change this setting or mention it at all; it is unrelated to HTML sanitization defaults. If you are seeing HTML_SANITIZATION=False, it may be due to a local override or custom configuration in your environment. You can review the config and comments directly here and see maintainers confirm the recommended default here.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

Comment From: qleroy

Isn't it False right here ?https://github.com/apache/superset/blob/9d50f1b8a244471659449672ac252d642bf27fe0/superset/config.py#L975

@dosu

Comment From: dosubot[bot]

No, at line 975 in the referenced commit, HTML_SANITIZATION is set to True, not False. The comments in the code strongly recommend keeping it enabled for security reasons, as it helps prevent XSS attacks. There’s no evidence of a recent change to make it False by default—if you’re seeing False, it’s likely due to a local override or custom config in your environment. You can see the relevant code and comments here.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

Comment From: qleroy

hmm 🤔

Comment From: sfirke

Good catch, that seems like a mistake to me. Looking at the PR where HTML_SANITIZATION was introduced, it seems like we still want to keep the default as True.

Comment From: qleroy

34276 caused the regression.

I may open a PR to revert it, but it would break the custom tooltip feature at the same time. What should we do about it ? @geido @msyavuz @richardfogaca