Superset V6.0 - Table chart now longer shows bold text with HTML <b> tag in columns

[Moosheimer]

Up to Superset v6.0, text such as Test was displayed in bold in table columns (if ‘Render columns in HTML format’ was checked). Since v6.0, this is no longer the case.
Is this a bug or a feature?

[dosubot[bot]]

This change is due to stricter HTML sanitization introduced in Superset 5.0 and continued in 6.0 to improve security and prevent XSS vulnerabilities. As a result, HTML tags like are now escaped and displayed as plain text rather than rendered as HTML, even if "Render columns in HTML format" is enabled. This is an intentional security feature, not a bug. If you need to allow specific HTML tags (like ), you can configure the HTML_SANITIZATION_SCHEMA_EXTENSIONS setting in your Superset config to permit them, but be aware of the security implications before doing so. More details are discussed in this issue.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[Moosheimer]

@dosu
I changed superset_config.py as follows:
HTML_SANITIZATION = False
HTML_SANITIZATION_SCHEMA_EXTENSIONS = {
"attributes": {
"*": ["style", "className", "class", "src", "width", "height", "frameborder", "marginwidth", "marginheight", "scrolling", "target", "background-color"],
},
"tagNames": ["style", "iframe", "h1", "h2", "h3", "h4", "h5", "h6", "b", "span"],
}

But still isn't rendered.

[dosubot[bot]]

In Superset 6.0, even if you set HTML_SANITIZATION = False and extend HTML_SANITIZATION_SCHEMA_EXTENSIONS, table/chart cells are still sanitized in the frontend using libraries like DOMPurify and rehype-sanitize. This stricter frontend sanitization cannot be bypassed by backend config changes, so tags like <b> are escaped and not rendered as HTML for security reasons. There is currently no supported way to render raw HTML (like <b>) in table/chart cells due to these enforced security measures (source, source, source).

If you need to render HTML, dashboard Markdown components may respect your config overrides, but table/chart cells do not. This is an intentional change to prevent XSS vulnerabilities.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[Moosheimer]

@dosu
Wow. That's tough. I read text from the database and display it in a table. The texts already have HTML tags such as <b>.
This is extremely important because the text from the database is already tagged and should be displayed that way.
Is there no way to turn that off?

[dosubot[bot]]

There isn’t a supported way to turn off HTML sanitization in Superset 6.0 table/chart cells. Even with “Render columns in HTML format” enabled, only tags on the sanitizer’s whitelist (like <span>, <img>, <a>, etc.) will be rendered—<b> is not included, so it gets stripped or escaped for security reasons reference.

If you need bold formatting, you can update your database text to use <span style="font-weight:bold"> instead of <b>, since <span> with inline styles is allowed and will render as bold in the table reference.

Disabling or bypassing this sanitization would require modifying the frontend source code and rebuilding, which is not recommended due to significant security risks reference. If you want help with safe formatting options, let me know!

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[Moosheimer]

@dosu
Replacing <b> with <span style="font-weight:bold"> doesn't always work. I have an example where it doesn't work - even though it works as a Postgres query, it doesn't work with Superset.

But that's not even the problem. The real problem is that we use tables/chart extensively and would have to parse every single query and replace all <b> and <li>. And that for every query?! And then it doesn't work everywhere (see above).

Are <b> and <li> really an XSS insecurity issue?

I suggest planning an extension for the next release where you can either completely disable all SANITIZATION or at least whitelist the ones that are needed.
Our application runs on the intranet and therefore does not need to be explicitly secured.

I don't think we're the only ones encountering this problem (at least so far).
Security is extremely important. But aren't we going too far with this strict regulation that can't be disabled?

Can't we leave it up to the user to decide whether to disable this strict setting at all?
Or at least give them the option to whitelist all desired tags across the board?

[dosubot[bot]]

Strict HTML sanitization in Superset is enforced to prevent XSS vulnerabilities, even for tags like <b> and <li>, because any HTML tag—if not properly sanitized—can be abused for script injection or layout manipulation, especially in environments where user input is not fully controlled. This is why Superset’s frontend only allows a limited set of tags (like <span>, <img>, <a>, table elements) and excludes others, regardless of backend config or intranet deployment source.

Currently, there’s no supported way to disable or fully customize frontend sanitization for table/chart cells; backend settings like HTML_SANITIZATION_SCHEMA_EXTENSIONS do not override this enforcement source. The whitelist is hardcoded in the frontend and can only be changed by modifying the source code and rebuilding, which is not recommended due to security risks and project policy source.

This secure-by-default approach is required by Apache Foundation guidelines and recent updates have made sanitization even stricter source. There are no current plans or features to make this user-configurable, but your use case (trusted intranet, need for custom tags) is valid and has come up in community discussions. If you want to propose a feature, it helps to describe your environment, why you need specific tags, and how you’d mitigate risks if sanitization were relaxed.

For now, the only workaround is to use tags and attributes allowed by the sanitizer (e.g., <span style="font-weight:bold">), but even these may not work in all contexts due to frontend restrictions. Markdown components in dashboards may offer more flexibility, but table/chart cells remain strictly sanitized.

Let me know if you want details on how to safely modify the frontend whitelist or draft a feature proposal for more flexible sanitization.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[Moosheimer]

@dosu
Is it important to describe how I would mitigate risks if sanitization were relaxed?
If this is an opt-in, then it is the user's responsibility to do so. I don't think you should block something for the user on the assumption that they are not capable of deciding what the implications are. That's not the security-first approach. Security-first means that a system is secure. It doesn't mean that a user (a team, a company) can't opt in to bypass this if necessary.

Yes, I would like details on how I can safely modify the frontend whitelist.
At the same time, I would like to be able to create a feature suggestion for more flexible sanitization.

[dosubot[bot]]

For Superset, describing how you would mitigate risks if sanitization were relaxed is important—especially for security-related features—because the project follows a security-first approach aligned with Apache Foundation guidelines. Even if a feature is opt-in, maintainers want to understand the risks and how users would be protected if the feature is enabled, since any change could impact the broader community and future maintainers. Including your risk mitigation plan in a feature suggestion increases the chance it will be considered seriously.

To safely modify the frontend whitelist and allow tags like <b> or <li>, edit superset-frontend/packages/superset-ui-core/src/utils/html.tsx. In the whiteList object, add your desired tags and allowed attributes, for example:

b: [],
li: ['class', 'style'],

After editing, rebuild the frontend:

cd superset-frontend
npm run plugins:build
npm run build-dev

Clear your browser cache and reload Superset to see the changes. Note: this change affects all users and increases XSS risk, so only do this in trusted environments and test thoroughly. Reference

For a feature suggestion, explain your use case (e.g., trusted intranet, pre-tagged data), why current options are insufficient, and how you would mitigate risks (e.g., restrict to admin users, add warnings, document the risks). Here’s a template you can adapt:

**Title:** Make HTML sanitization whitelist user-configurable (opt-in)

**Problem:**  
Superset’s strict frontend HTML sanitization prevents rendering of safe tags like `<b>` and `<li>`, even in trusted environments. This blocks important formatting for pre-tagged data.

**Proposed Solution:**  
Add a user-configurable option (e.g., in superset_config.py or UI) to extend or override the frontend sanitizer whitelist, with clear warnings and opt-in gating.

**Risk Mitigation:**  
- Restrict to admin users or trusted deployments
- Add prominent warnings in the UI/config
- Document XSS risks and best practices

**Use Case:**  
We run Superset on a secured intranet with trusted data sources and need to render existing HTML formatting in tables/charts.

**Alternatives tried:**  
Backend config, data preprocessing, and Markdown components—all insufficient for our needs.

Let me know if you want more details on any step or best practices for testing these changes.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[Moosheimer]

@dosu
Your feature suggestions are already very good. But how can I create a “feature suggestion”?

Your instructions on how to change the code are good. However, I am not a Python or TypeScript developer.
I am using an installed Superset (Miniconda and pip3 install).
Is there another way I can change this?

[dosubot[bot]]

To suggest a new feature or enhancement for Superset, you have two main options:

1. For general feature ideas, use GitHub Discussions: go to the Superset Discussions page, search to see if your idea already exists, and if not, create a new post under the "Ideas" category. This is the recommended place for most feature suggestions and for gathering community feedback before anything formal is proposed.
   Reference

2. For major changes or formal proposals, submit a Superset Improvement Proposal (SIP). To do this, draft your proposal using the SIP template (sections include Motivation, Proposed Change, Risk Mitigation, etc.), then email a link to your proposal to [email protected]. You can subscribe to the dev mailing list by sending a blank email to [email protected].
   Reference

About changing the frontend HTML sanitizer: there is no supported way to modify the whitelist or disable sanitization in a pip/Miniconda install without editing the frontend source code and rebuilding. There are no plugins or config options for this—frontend sanitization is hardcoded for security reasons.
Reference

If you can't make code changes yourself, you can still propose the feature as above, and mention your use case (trusted intranet, pre-tagged data, etc.) and why current options don't work for you. This helps the community understand the need and may attract collaborators.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[1cadumagalhaes]

@dosu

I am trying to display an image in a table, you said:

only tags on the sanitizer’s whitelist (like , , , etc.) will be rendered

I can render a link ( tag) but the image does not work at all. It displays as raw text.