Skip to Content (Press Enter)
2018-10-01 10-21-00
Diego Souza
1238Views
6Comments
Solved
How to concatenate a string to HTML string?
Question

Hi guys,


I want to pass dynamic variables (StringList) into the HTML string to be rendered. For example:

But doing it this way the Html is not rendered.


Can you help me?

Thank you.

0
0
22 Mar 2019
Copy Link
2018-10-01 10-21-00
Diego Souza
Solution

Thank you guys.

In my case, the solution is: 

  1. Transform this "html + your variable" in a unique variable
  2. Use this variable to show in this expression, with the Escape Content = NO.
  3. Use the fuction SanitizeHtml(StringFinal) of Sanitization Extension.


See solution in context
0
0
01 Apr 2019
Copy Link
2021-07-19 14-21-08
Carlos Alfradique

Diego Souza wrote:

Hi guys,


I want to pass dynamic variables (StringList) into the HTML string to be rendered. For example:

But doing it this way the Html is not rendered.


Can you help me?

Thank you.

Hi there Diego.

Transform this "html + your variable" in a unique variable and use this variable to show in this expression, with the Escape Content = NO.

OR

Remove the function "EncondeHTML()" and continue using the "Escape Content = No".

Regards,

Carlos Alfradique


0
0
22 Mar 2019
Copy Link
2021-01-29 14-18-24
Jitendra Raghuvanshi

Hi Diego,

Remove Encodehtml() function  and directly put you HTML content into expression and set expression property Escape Content = No.


Regards,

Jitendra

1
0
23 Mar 2019
Copy Link
2018-10-01 10-21-00
Diego Souza

Hi guys,


I removed Encodehtml() function  and directly put you HTML in a unique variable and set expression property Escape Content = No, but it's appearing this warning and It´s not sent this email.
 I concatenated the  Header + Dynamic string + Header (Concat( , )) in a unique variable String "String Final", if i use the EncodeHTML(String Final) appear the same result in my original post.

Can you help me? Please.

0
0
01 Apr 2019
Copy Link
2020-10-08 19-51-35
João Barata
Staff

Diego Souza wrote:

Hi guys,


I removed Encodehtml() function  and directly put you HTML in a unique variable and set expression property Escape Content = No, but it's appearing this warning and It´s not sent this email.
 I concatenated the  Header + Dynamic string + Header (Concat( , )) in a unique variable String "String Final", if i use the EncodeHTML(String Final) appear the same result in my original post.

Can you help me? Please.

Hello Diego,

The warning you are seeing is to inform you you may be vulnerable to HTML injection since you are using a variable inside your HTML and the platform can't know beforehand what that HTML content may be.

What you should do is surround your variable with the Encodehtml() function instead of the entire HTML.

If you still need to pass valid HTML inside of your variable, the only alternative is to ignore the warning and validate that you aren't generating that HTML content from user input or that you sanitize it beforehand.


Nevertheless, may I ask you why are you trying to generate a full HTML document with the <html>, <head> and <body> tags?

since you are using the expression on the page, you are already inside of the <body></body> tags, so there is no need to add those.

Regards,



1
0
01 Apr 2019
Copy Link
2018-10-01 10-21-00
Diego Souza

João Barata wrote:

Diego Souza wrote:

Hi guys,


I removed Encodehtml() function  and directly put you HTML in a unique variable and set expression property Escape Content = No, but it's appearing this warning and It´s not sent this email.
 I concatenated the  Header + Dynamic string + Header (Concat( , )) in a unique variable String "String Final", if i use the EncodeHTML(String Final) appear the same result in my original post.

Can you help me? Please.

Hello Diego,

The warning you are seeing is to inform you you may be vulnerable to HTML injection since you are using a variable inside your HTML and the platform can't know beforehand what that HTML content may be.

What you should do is surround your variable with the Encodehtml() function instead of the entire HTML.

If you still need to pass valid HTML inside of your variable, the only alternative is to ignore the warning and validate that you aren't generating that HTML content from user input or that you sanitize it beforehand.


Nevertheless, may I ask you why are you trying to generate a full HTML document with the <html>, <head> and <body> tags?

since you are using the expression on the page, you are already inside of the <body></body> tags, so there is no need to add those.

Regards,



Thank you João Barata.

I am creating the entire HTML to be sent by email. You are right, it´s necessary sanitize HTML, so I used the Sanitization Extension and it´s functioning. 

:D

0
0
01 Apr 2019
Copy Link
2018-10-01 10-21-00
Diego Souza
Solution

Thank you guys.

In my case, the solution is: 

  1. Transform this "html + your variable" in a unique variable
  2. Use this variable to show in this expression, with the Escape Content = NO.
  3. Use the fuction SanitizeHtml(StringFinal) of Sanitization Extension.


0
0
01 Apr 2019
Copy Link
Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.