chore: Deprecates the ENABLE_JAVASCRIPT_CONTROLS feature flag

[michael-s-molina]

SUMMARY

As part of the 4.0 approved initiatives, this PR deprecates the ENABLE_JAVASCRIPT_CONTROLS feature flag which is currently False by default and used to enable programmers to customize certain charts (like the geospatial ones) by inputting javascript in controls. This exposes an XSS security vulnerability.

TESTING INSTRUCTIONS

CI.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (7ca6d8c) 69.18% compared to head (0bd9243) 69.04%.
Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #26635      +/-   ##
==========================================
- Coverage   69.18%   69.04%   -0.14%     
==========================================
  Files        1948     1938      -10     
  Lines       76036    75609     -427     
  Branches     8478     8478              
==========================================
- Hits        52604    52204     -400     
+ Misses      21265    21238      -27     
  Partials     2167     2167              

Flag	Coverage Δ
hive	53.58% <ø> (-0.11%)	⬇️
mysql	77.88% <ø> (-0.16%)	⬇️
postgres	77.98% <ø> (-0.19%)	⬇️
presto	53.53% <ø> (-0.11%)	⬇️
python	82.73% <ø> (-0.13%)	⬇️
sqlite	77.57% <ø> (-0.19%)	⬇️
unit	55.81% <ø> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[JZ6]

will there be a new feature to replace this deprecation?

[rusackas]

will there be a new feature to replace this deprecation?

We're open to proposals! As it stands, there are no contenders, but this feature needs to be removed as a known security vector. In my mind, its replacement would be something templating-based (markdown or jinja) that is handed the full data object, and can render tooltip content. It should be something that can be added to any plugin (not just DeckGL). It should not allow arbitrary JavaScript (that's a security problem). It would definitely be subject to a SIP, and we're willing to consider a SIP from anyone who wants to contribute such a feature.