[Human Readable Change History] RecordDifferences ChangeText does not HTML Escape contents
Forge component by Johan den Ouden
Application Type
Traditional Web, Mobile, Reactive, Service

The Original Value and Changed Value of text fields are not HTML escaped in the WhatChangedText output.

Since the WhatChangedText contains bold (<b>) tags, the application must render this directly as HTML. This means a user may inject HTML into the page that displays this history, simply by entering it into a field that is tracked via RecordDifferences.

We can somewhat reduce the issue by using SanitizeHTML when rendering the HTML.  However, some HTML is still interpreted; eg. setting an entity text field to '<h1>BIG TEXT</h1>' will render the field as a heading when displaying the differences for that record.

It would be better to perform EncodeHTML() on the values before building the WhatChangedText string, so that they are encoded alongside the bold formatting tags and are ready to safely render.

Thanks for posting Mark, yes good call.

You are correct that SanitizeHTML does not prevent all types of injection such as inserting an image or hyperlink which could be used for some forms of attack.

EncodeHTML for value content would be an excellent idea.

I would also like to see a separate option to provide a structured response so that the end user has a choice of how the resultant data is used and rendered.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.