Apache Superset Frontend Code Exposes XSS Risk via dangerouslySetInnerHTML in Core Utility

A critical security vulnerability has been flagged within the Apache Superset project's frontend codebase, exposing a potential vector for cross-site scripting (XSS) attacks. The automated SAST scanner Semgrep detected the use of React's `dangerouslySetInnerHTML` API with non-constant definitions in the core utility layer. This pattern is a direct violation of CWE-79 and creates a clear pathway for malicious code execution if the injected HTML originates from any user-provided or external input.

The vulnerability is not an isolated instance but is embedded in a foundational utility file. The scanner pinpointed the issue in `superset-frontend/packages/superset-ui-core/src/utils/html.tsx`, indicating the risk is present in a shared module used across the application. The use of `dangerouslySetInnerHTML` bypasses React's built-in XSS protections, and when the source is not a hard-coded constant, it becomes a significant security liability. The scanner's medium severity and confidence ratings underscore a tangible, exploitable flaw that requires immediate remediation.

For the Apache Superset community and its enterprise users, this finding signals a pressing need for code review and hardening of data handling practices. The presence of such a vulnerability in a core utility suggests that multiple components or visualizations could be inadvertently exposed. The recommended mitigation is to implement a robust sanitization library like DOMPurify for any scenario where raw HTML insertion is unavoidable, transforming a dangerous practice into a controlled and secure one. Unaddressed, this flaw could compromise dashboard integrity and user data security.