When handling expressions in your web flows, you might need to send that information to the Browser as it is, without any escaping performed by the application. Simply set the Escape Contents property of the Expression widget with the proper values, as explain below. A common use for un-escaped expressions is to add custom content like HTML and JavaScript to your web screens. However, if you are in a web flow, you can also use the extended properties of the expression widget. See Extending Properties.

Escape an Expression

Escaping an expression means that all spaces, punctuation, accented characters and other non-ASCII characters are replaced by a sequence that does not interferer with the protocol being used. To see how the escape works in Web Flows, check the EncodeHtml function.

In most situations, you need to escape your expressions and simply have to keep the default value of the Escape Contents property of the expression, which is Yes.

Un-escape an Expression

In some situations, you need to directly present the results of your expressions in the screen content. Simply set the Escape Contents property of the Expression widget to No.

This feature is not available for SMS flows.

Un-escaped Expressions in Web Flows

If you want to add JavaScript or HTML code to your web screens, you must use un-escaped expressions. Service Studio also allows you to add Java Script functions directly to your web flows. How?

In the following situations you must use un-escaped expressions.

"<input type = ""hidden"" name = ""SomeName"" value =""XPTO"">"

"<a href=""mailto:Support@MyCompany.com?subject=Feedback"">

Mail

</a>"

 

 

"<script>

function MyFunction () {

...

return true;

}

</script>"

If you want to use dynamic contents in your un-escaped expressions, you should use the EncodeJavascript function or the EncodeHtml function , depending on the situation.

Testing an un-escaped expression

Once you have defined your expression as un-escaped, you can easily check its result. Simply run your eSpace and, in the web screen, select the option "View Source".

Security considerations

Working with un-escaped expressions without encoding distrusted variables (e.g. user input) compromises the end-user security by allowing JavaScript injection as well as cross-scripting. To avoid these risks, you need to encode the un-escaped values.

Examples:

You want to use the Alert Javascript function to pop-up the content of Msg. You have to create an expression with an Escape Content property of No, with the following value:

"<script language =""javascript"">

Alert ( """ +EncodeJavascript(Msg) + """);

</script>"

 

You want to evaluate some HTML code in your screen and you need to use a variable called MyVar on that code. You have to create an expression with an Escape Content property of No, with the following value:

"<input type=""hidden"" name = ""SomeName"" value = """ +EncodeHTML(MyVar) + """>"

See Also

Expression Properties | Adding JavaScript in Web Flows | EncodeJavascript Function | EncodeHtml Function