Support for Parameters in Embedded Visualizations


#1

Up until now, embedded visualizations did not support parameterized queries due to the fact that they created SQL injection vulnerabilities (i.e. - queries are public and anyone, including untrusted parties could manipulate these parameters and potentially do harm to the database). If you wanted to risk it, you could have entered the danger zone by enabling the ALLOW_PARAMETERS_IN_EMBEDS setting.

Following this PR, you no longer have to risk it and most parameters are safely enabled by default for embedded visualizations. Note that raw string parameters are not supported yet, but we are working towards minimizing the cases this affects.

If you turned on the ALLOW_PARAMETERS_IN_EMBEDS setting, you will receive a deprecation message in the app.


Modify queries from an embedded IFrame