From ec20c0104e6913cd9b2ab8bacae22eb25ae4cce1 Mon Sep 17 00:00:00 2001
From: Anthony Gainor <anthony@againor.com>
Date: Wed, 19 Oct 2022 06:54:20 -0600
Subject: [PATCH] fix(dashboard): Prevent XSS attack vector (#21822)

Co-authored-by: Herbert Gainor <herbert.gainor@preset.io>
---
 .../packages/superset-ui-core/src/components/SafeMarkdown.tsx   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown.tsx b/superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown.tsx
index 41ba91b55..94d415c49 100644
--- a/superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown.tsx
@@ -30,7 +30,7 @@ interface SafeMarkdownProps {
 
 function isSafeMarkup(node: MarkdownAbstractSyntaxTree) {
   return node.type === 'html' && node.value
-    ? /href="(javascript|vbscript|file):.*"/gim.test(node.value) === false
+    ? !/(href|src)="(javascript|vbscript|file):.*"/gim.test(node.value)
     : true;
 }