HTML `<br>` tag not rendering in query results

[hf-13]

Bug description

Description

When running a SQL query that includes an HTML <br> tag, Superset is not rendering the tag as expected. Instead, it's being stripped from the output.

Steps to Reproduce

1. Run the following SQL query:

SELECT 'salary<=>salary<br>test' AS result;

2. Expected result: The output should display the exact text as it appears in the query.
3. Actual result: The output is displayed as "salarysalary" on a single line, with the <br> tag and subsequent text removed.

Configuration Attempted

The following configuration has been applied in a Kubernetes deployment using Helm:

FEATURE_FLAGS = {
 'ESCAPE_MARKDOWN_HTML': False,
}
HTML_SANITIZATION = True
HTML_SANITIZATION_SCHEMA_EXTENSIONS = {
 "attributes": {
     "*": ["style", "className", "class"],
 },
 "tagNames": ["br"]
}

It all was confirmed with superset shell

from superset.app import app
print(app.config)

Additional Information

• Superset is deployed on Kubernetes using Helm.
• The issue persists even with Talisman disabled (TALISMAN_ENABLED = False).
• Various combinations of HTML sanitization settings have been tried without success.

Environment

• Superset version: 4.0.2
• Kubernetes version: 1.30
• Helm chart version: 0.12.11
• Database type: postgresql

Question

Is there a way to configure Superset to properly render HTML tags, specifically the <br> tag, in query results while maintaining security?

Screenshots/recordings

No response

Superset version

4.1.0

Python version

3.10

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [ ] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot[bot]]

I found a similar issue related to HTML rendering in Superset. The issue of improper input validation and sanitization, which can affect how HTML tags are handled, was discussed in this closed issue. The suggested solution involved implementing a Content Security Policy (CSP) using the Talisman extension to mitigate XSS attacks by specifying valid sources for executable scripts.

In your case, since you are trying to render the <br> tag in query results, you have already attempted to extend the HTML sanitization schema to include the br tag. However, it seems that the sanitization process might still be stripping it out.

Here are a few things you can try:

1. Verify HTML Sanitization Settings: Ensure that your HTML_SANITIZATION_SCHEMA_EXTENSIONS is correctly configured to allow the br tag. It seems you have already done this, but double-checking might help.

2. Frontend Configuration: Check if the frontend configuration allows HTML rendering. The ResultSet component in Superset's frontend has a property allowHTML that controls HTML rendering in query results. This is set based on a local storage key LocalStorageKeys.SqllabIsRenderHtmlEnabled, which defaults to true ^[1].

3. Test HTML Rendering: You can test if the HTML rendering is working by checking the ResultSet component's behavior. If the allowHTML flag is set to true, it should render HTML content.

4. Review HTML Sanitization Tests: Superset includes tests for HTML sanitization, such as sanitizeHtml and sanitizeHtmlIfNeeded, which ensure that HTML content is handled safely ^[2]. Reviewing these tests might provide insights into how HTML tags are processed.

If these steps do not resolve the issue, it might be worth investigating further into the frontend code to ensure that the allowHTML setting is correctly applied and that no other configurations are overriding your settings.

To continue talking to Dosu, mention @dosu.