How to concatenate a string to HTML string?

Hi guys,


I want to pass dynamic variables (StringList) into the HTML string to be rendered. For example:

But doing it this way the Html is not rendered.


Can you help me?

Thank you.

Diego Souza wrote:

Hi guys,


I want to pass dynamic variables (StringList) into the HTML string to be rendered. For example:

But doing it this way the Html is not rendered.


Can you help me?

Thank you.

Hi there Diego.

Transform this "html + your variable" in a unique variable and use this variable to show in this expression, with the Escape Content = NO.

OR

Remove the function "EncondeHTML()" and continue using the "Escape Content = No".

Regards,

Carlos Alfradique


Hi Diego,

Remove Encodehtml() function  and directly put you HTML content into expression and set expression property Escape Content = No.


Regards,

Jitendra

Hi guys,


I removed Encodehtml() function  and directly put you HTML in a unique variable and set expression property Escape Content = No, but it's appearing this warning and It´s not sent this email.
 I concatenated the  Header + Dynamic string + Header (Concat( , )) in a unique variable String "String Final", if i use the EncodeHTML(String Final) appear the same result in my original post.

Can you help me? Please.

Diego Souza wrote:

Hi guys,


I removed Encodehtml() function  and directly put you HTML in a unique variable and set expression property Escape Content = No, but it's appearing this warning and It´s not sent this email.
 I concatenated the  Header + Dynamic string + Header (Concat( , )) in a unique variable String "String Final", if i use the EncodeHTML(String Final) appear the same result in my original post.

Can you help me? Please.

Hello Diego,

The warning you are seeing is to inform you you may be vulnerable to HTML injection since you are using a variable inside your HTML and the platform can't know beforehand what that HTML content may be.

What you should do is surround your variable with the Encodehtml() function instead of the entire HTML.

If you still need to pass valid HTML inside of your variable, the only alternative is to ignore the warning and validate that you aren't generating that HTML content from user input or that you sanitize it beforehand.


Nevertheless, may I ask you why are you trying to generate a full HTML document with the <html>, <head> and <body> tags?

since you are using the expression on the page, you are already inside of the <body></body> tags, so there is no need to add those.

Regards,



João Barata wrote:

Diego Souza wrote:

Hi guys,


I removed Encodehtml() function  and directly put you HTML in a unique variable and set expression property Escape Content = No, but it's appearing this warning and It´s not sent this email.
 I concatenated the  Header + Dynamic string + Header (Concat( , )) in a unique variable String "String Final", if i use the EncodeHTML(String Final) appear the same result in my original post.

Can you help me? Please.

Hello Diego,

The warning you are seeing is to inform you you may be vulnerable to HTML injection since you are using a variable inside your HTML and the platform can't know beforehand what that HTML content may be.

What you should do is surround your variable with the Encodehtml() function instead of the entire HTML.

If you still need to pass valid HTML inside of your variable, the only alternative is to ignore the warning and validate that you aren't generating that HTML content from user input or that you sanitize it beforehand.


Nevertheless, may I ask you why are you trying to generate a full HTML document with the <html>, <head> and <body> tags?

since you are using the expression on the page, you are already inside of the <body></body> tags, so there is no need to add those.

Regards,



Thank you João Barata.

I am creating the entire HTML to be sent by email. You are right, it´s necessary sanitize HTML, so I used the Sanitization Extension and it´s functioning. 

:D

Solution

Thank you guys.

In my case, the solution is: 

  1. Transform this "html + your variable" in a unique variable
  2. Use this variable to show in this expression, with the Escape Content = NO.
  3. Use the fuction SanitizeHtml(StringFinal) of Sanitization Extension.

Solution