As with every major release, we’ve performed an additional round of QA and now recommend KNIME Analytics Platform 5.2.1 for use in production environments.
All relevant resources for KNIME Analytics Platform, including download files, are available on our product download pages. Take a look at the release notes to learn more about the security-related changes to various visualization nodes that could impact existing workflows.
KNIME 5.2 is a major new release featuring a significantly improved user interface based on your feedback, a modern scripting editor for Python and ECharts, new reporting and visualization capabilities, additional extensions, and more. Learn more about the highlights of the release here.
Hey @spider,
yes this is possible just add this to your knime.ini
-Djs.core.sanitize.clientHTML=true
After setting this and restarting your Analytics platform you will see that everything inside a component view is now sanitized. (Note that this will not affect single views of nodes, but just component views).
Do have removed the the following part from the changelog of 5.2.1 that I copied last week after?
HTML sanitization of JavaScript View nodes and Widget nodes
With the release of 5.2.1 KNIME executors will have HTML sanitization of old JavaScript View nodes and Widget nodes turned on by default. This should ensure that no malicious HTML can be output. It is still possible to achieve the old behaviour by turning the sanitization off globally both for KNIME Hub execution contexts (see intstructionshere) and for KNIME Server (see instructions here). For KNIME Server sanitization rules can also be further customized, see KNIME WebPortal Administration Guide.
Interesting nodes to know about:
** Text Output Widget (legacy): If this is set to output HTML content, it will be sanitized. You can use the new Text View or Image View which have their own sanitization rules internally, but allow certain styling tags or exempt the Text Output Widget from sanitization*
** Image Output Widget (legacy): This will not work with sanitization turned on. Sanitization will strip all SVG tags, leaving in most cases only axis labels and names to be displayed as plain text. Also the workaround here is to use the new Image View or add the node to the exemptions.*
** Generic JavaScript View: This node is now always exempted from global sanitization and have an additional flag (-Djs.core.sanitize.sanitizeGenericJSView ) which is set to true by default for new executors. With this flag enabled all input data to the node (input table and flow variables) will be sanitized.* This leads to the following behaviour: if a workflow builder set up the node so that just values are displayed by tables and flow variables it might only loose some formatting or simply work as before. However if a script was set up in a way that for example HTML was constructed using the contents of flow variables or JavaScript libraries were injected using flow variables this will now most likely fail. If this is still needed the system property has to be set to false explicitly. Additionally there is a new checkbox in the node to enable/disable this input sanitization. However this will be overwritten if the system property is set to true.
All other (view) nodes might behave differently if a workflow builder tried to customize styling by use of HTML (e.g. in table cells or in tooltips used inside of charts). The effects here should be that either only the styling does not work or some content won’t be visible at all, depending on the context.
there was something wrong with the build for 5.2.1, which means that the default in the executor is not set for 5.2.1 but will be set from 5.2.2. onwards. You can of course still use the parameter in the Analytics Platform and the executor. It is just not set as default as of now.