How can I disable HTML rendering?

[6f6d6172]

Rendering HTML from results can sometimes be nice, but more often than not, it's not what I want. When your database contains untrusted input from a web application that may contain HTML, the last thing I want is for Redash to render it automatically -- even if the HTML is sanitized. The sanitization process allows arbitrary images and stylesheets to be loaded, which means selecting content from the database might end up rendering abusive or otherwise offensive content on the screen, or even be used to deliver malicious content. The feature is neat but frankly it's inappropriate to have enabled by default.

Attached is a screenshot of a row that contains CSS that sets every element's background to an animated gif of a cat jumping out of a box. It's clear I put that in there myself, but when running a web application that accepts content from the general public, it's not an entirely unrealistic situation.

There doesn't appear to be much documentation around HTML rendering, nor does there appear to be a setting to disable this within a single query or as a whole for the org. Is there something I'm missing? I searched issues and discussions and couldn't find anything on the topic either.

[comur]

Hello

Does someone have a workaround for that ?

[gaecoli]

Just disable this button.

[gaecoli]

First click Edit Visualization under Table, then click on the column you want to turn off HTML rendering, and finally turn off the button above.

[gaecoli]

Should we consider turning off HTML rendering by default? @justinclift

[comur]

I think it has to be disabled by default because if we have a style applied via HTML contained inside a column we cannot see edit button or all template is broken...

I was able to fix my cas by editing HTML of the template via inspect and then edit and disable HTML but it's painful

[gaecoli]

You can turn it off manually first. We will discuss this solution later.

[wncm]

I wish there were an option to disable it by default globally. Several times already it misled our analysts by "fixing" things like > and ".

[eradman]

@ezraodio1 proposed a change to change the default for "Allow HTML content" in #7064

[justinclift]

If we change the default, it's not going to break people who upgrade their existing installations is it?

[eradman]

It will not change existing installations, because allowHTML is saved in the visualization

redash=# SELECT jsonb_pretty(options->'columns'->0) FROM visualizations WHERE id=1;
            jsonb_pretty
-------------------------------------
 {                                  +
     "name": "name",                +
     "type": "string",              +
     "fixed": false,                +
     "order": 100000,               +
     "title": "name",               +
     "visible": true,               +
     "allowHTML": true,             +
     "displayAs": "string",         +
     "imageWidth": "",              +
     "allowSearch": false,          +
     "imageHeight": "",             +
     "alignContent": "left",        +
     "booleanValues": [             +
         "false",                   +
         "true"                     +
     ],                             +
     "highlightLinks": false,       +
     "linkUrlTemplate": "{{ @ }}",  +
     "imageUrlTemplate": "{{ @ }}", +
     "linkOpenInNewTab": true,      +
     "linkTextTemplate": "{{ @ }}", +
     "linkTitleTemplate": "{{ @ }}",+
     "imageTitleTemplate": "{{ @ }}"+
 }
(1 row)

Changing the default may affect users of the API (POST /api/visualizations), but the solution is easy: set this option in the payload instead of relying on the default.

[justinclift]

Cool. Doesn't sound like changing the default won't cause any significant problems then. 😄