Hi all,


I have one question regarding the sanitization of HTML in a client action.


I have this need because I am using the workaround for using expressions with Escape Content in Reactive, proposed by Tiago Simões in this post:
Expression Escape Content in Reactive Web


In his explanation, he advertises the following:

"PS: be sure to sanitize the HTML content, so users are not allowed to inject arbitrary JS in your ap

p."


However, in Reactive we only have the SanitizeHTML server action, from the Sanitization API, which gives a warning since it's being used on the onReady event. Please check the image below:

Being that the onReady event is a client action we also wanted to avoid calling a server action.

Besides this, we cannot use SanitizeHtml as a function when passing the HTML input to the Block:


Finally, I was wondering what are the real risks of JavaScript/HTML injection, since the onReady event is a client action, hence, running only on the client-side, and since it simply runs a JavaScript node with:

document.getElementbyId($parameters.WidgetId).innerHTML = $parameters.HTMLCode;

that can also be run from, for example, the console of the browser.

What do you think? Other possible solutions could be having the sanitization as a client action or running a JavaScript sanitization method.

I would play it safe and add the Javascript sanitization, which you linked, into script and would use that for sanitization.

Better spend a few minutes securing your app now than to have a headache in the future.

The only situation I tend to ignore these is when I set to not escape content on server-side when the string has no relation to any user provided input.

Cheers.

Hi Luis,

Having calls to the server on the OnRender does not block the render (only the OnInitialize on screens does), so we may remove those warnings in the future. In any case, if you believe you'll have several of those blocks on the page, you might consider doing it outside the block on the data action that gets the data from the server. In any case is always safer to do that on the server side.

Cheers,
Tiago Simões

Hi Tiago,


Thanks for your reply.

We will follow your suggestion and Sanitize the HTML outside the block.


Cheers,

Luís