feat: adding feature flags to escape/hide html in markdown

[rusackas]

SUMMARY

Adds feature flags (set with defaults to match current behavior) that (a) can escape/display HTML code, or (b) hide the output of HTML markup.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TEST PLAN

Tested (visually, and in Chrome inspector) that HTML is escaped when ESCAPE_MARKDOWN_HTML is enabled, and that HTML is hidden when DISPLAY_MARKDOWN_HTML is turned off.

ADDITIONAL INFORMATION

• Has associated issue:
• Changes UI
• Requires DB Migration.
• Confirm DB Migration upgrade and downgrade tested.
• Introduces new feature or API
• Removes existing feature or API

[codecov-io]

Codecov Report

Merging #11340 into master will decrease coverage by 4.01%.
The diff coverage is 66.66%.

@@            Coverage Diff             @@
##           master   #11340      +/-   ##
==========================================
- Coverage   65.59%   61.57%   -4.02%     
==========================================
  Files         832      838       +6     
  Lines       39448    39841     +393     
  Branches     3598     3655      +57     
==========================================
- Hits        25874    24533    -1341     
- Misses      13465    15127    +1662     
- Partials      109      181      +72     

Flag	Coverage Δ
#cypress	?
#javascript	62.63% <66.66%> (-0.04%)	⬇️
#python	60.94% <ø> (+0.18%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...c/dashboard/components/gridComponents/Markdown.jsx	88.29% <0.00%> (-0.95%)	⬇️
superset/config.py	90.18% <ø> (+0.11%)	⬆️
superset-frontend/src/featureFlags.ts	88.23% <100.00%> (-11.77%)	⬇️
superset-frontend/src/SqlLab/App.jsx	0.00% <0.00%> (-100.00%)	⬇️
superset-frontend/src/explore/App.jsx	0.00% <0.00%> (-100.00%)	⬇️
superset-frontend/src/dashboard/App.jsx	0.00% <0.00%> (-100.00%)	⬇️
superset-frontend/src/explore/index.jsx	0.00% <0.00%> (-100.00%)	⬇️
superset-frontend/src/dashboard/index.jsx	0.00% <0.00%> (-100.00%)	⬇️
superset-frontend/src/setup/setupColors.js	0.00% <0.00%> (-100.00%)	⬇️
superset-frontend/src/chart/ChartContainer.jsx	0.00% <0.00%> (-100.00%)	⬇️
... and 235 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8676c3e...3e7b5ec. Read the comment docs.

[villebro]

LGTM, with a few minor non-blocking recommendations

[villebro]

Could we add comments here that explain how these affect the behaviour? Also, it could be a good idea to add a comment in UPDATING.md in case someone is currently relying on this functionality.

[rusackas]

The default settings in this PR mimic the current default behavior, so the feature shouldn't require any action when updating.

That said, the comments do seem valuable. I'll add 'em!

[villebro]

[rusackas]

Added some comments... let me know if they don't make sense.

[villebro]

[robdiciuccio]

Security-first default settings would be my preferred approach. Is there a reason why the default here can't be secure out of the box?

[rusackas]

I don't believe there are any security issues that exist in this implementation.

The reason these flags aren't flipped here is that it would cause the example dashboards (and perhaps customer/user dashboards) to suddenly look very broken, with a bunch of noisy HTML displayed, or (in the examples) nothing displayed at all.