This may be a use case that bends what Redash is intended to do a bit, but we’re trying to add a button that executes some basic inline JS to a table produced by a query. Adding the button is not a problem, but the button’s onclick attribute gets sanitized away. Based on the docs I had assumed that the env variable REDASH_ALLOW_SCRIPTS_IN_USER_INPUT would allow us to turn off sanitizing of any HTML, but it does not appear to be working. So what actually does this variable set? Browsing through the codebase its effect was not immediately clear to me.

If the variable doesn’t do the trick, what other ways do we have to turn sanitizing off? I understand that ngSanitize was used in the past, but we are running a React version of Redash (9.0.0) so that would not be applicable anymore.