From 69916654ccd7e3be39b4dcc2271958b8fedb4ff0 Mon Sep 17 00:00:00 2001
From: guerler <aysam.guerler@gmail.com>
Date: Thu, 1 Aug 2024 13:53:51 +0300
Subject: [PATCH] Limit allowed script tags, allow adding stylesheet for now

---
 .../common/templates/script_entry_point.mako  | 22 ++++++++++++++-----
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/config/plugins/visualizations/common/templates/script_entry_point.mako b/config/plugins/visualizations/common/templates/script_entry_point.mako
index 82d33bc868c0..8895ff868a10 100644
--- a/config/plugins/visualizations/common/templates/script_entry_point.mako
+++ b/config/plugins/visualizations/common/templates/script_entry_point.mako
@@ -1,19 +1,29 @@
 # -*- coding: utf-8 -*-
 <%inherit file="visualization_base.mako"/>
 
-## No stylesheets
-<%def name="stylesheets()"></%def>
+## Add stylesheet
+<%def name="stylesheets()">
+    <% css = script_attributes.get("css") %>
+    %if css is not None:
+        <link rel="stylesheet" href="${css}">
+    %endif
+</%def>
 
 ## Create a container, attach data and import script file
-<%def name="late_javascripts()">
-    <% container = script_attributes.get("container") or "app" %>
+<%def name="get_body()">
+    ## Collect incoming data
     <% data_incoming = {
         "visualization_id": visualization_id,
         "visualization_name": visualization_name,
         "visualization_plugin": visualization_plugin,
         "visualization_config": config }
     %>
+
+    ## Create a container with default identifier `app`
+    <% container = script_attributes.get("container") or "app" %>
     <div id="${container}" data-incoming='${h.dumps(data_incoming)}'></div>
-    <% tag_attrs = ' '.join([ '{0}="{1}"'.format( key, attr ) for key, attr in script_attributes.items() ]) %>
-    <script type="text/javascript" ${tag_attrs}></script>
+
+    ## Add script tag
+    <% src = script_attributes.get("src") %>
+    <script type="text/javascript" src=${src}></script>
 </%def>