Sanitizehtml on excel export
Application Type
Traditional Web
Service Studio Version
11.10.18 (Build 41211)

I have a html string(with html tags) stored in Database I am fetching it with some other data and generating a excel report out of it. I am using Advance SQL to collect data fill it in Output structure and using Advance_Excel forge component actions Dumping it in Excel file.  

Is there any way I can sanitize html text before I dump it into Excel file?


Thanks

Chetan

mvp_badge
MVP
Solution

Hi Chetan Patil,

There is no simple and standard way of performing this operation at the database level, but it is fairly simple of implementing it in OutSystems.

Neha Agrawal's suggestion is valid: for your specific case you could perform that sanitization as you go when you pass the data to the Cell_WriteRange action.

A more generic alternative would be to sanitize the list's data upfront, as soon as it is returned. Basically what you would need to do is:

  1. Use the SQL tool to run your query;
  2. Use the For Each tool to iterate through the output of the SQLtool from 1. and, for each record:
    1. Use the Assigntool with a single assignment with the sanitization:
      • Variable is the HtmlString attribute (or whichever is the name of the attribute of your structure that holds the non-sanitized html string)
      • Value is SanitizeHTML(HtmlString)
    2. You have effectively updated the output list of your SQL with a sanitized version of the html strings.
  3. Continue with the remaining pre-existing logic, that will now be using sanitized data.

Hope this helps!


mvp_badge
MVP

Hi Chetan Patil,

You may want to use the built-in function EncodeHTML to replace all HTML reserved characters by their escaped counterpart; or use the SanitizeHTML function from the Sanitization extension module that also comes with the platform to make sure there isn't any malicious code.

Hope this helps!

Hi Chetan,

I agree with  solutions proposed by Jorge, you can refer the documentation - HTML Injection Warning

The above mentioned document states the below:

  • Use the
  • EncodeHTML
  • ():- built-in function to replace all HTML reserved characters by their escaped counterpart. (this means EncodeHTML() will check HTML characters only. It will not protect you from JS or XSS  vulnerabilities. We should not use this on string literals that we plan to expect as part of code)
  • Use the SanitizeHTML():- function from the Sanitization extension module to ensure that the value entered by the end user does not contain any malicious content. (this means SanitizeHTML() will sanitize the input provided by the end user and sanitize the APIs outcomes to avoid code injection in HTML, JS and SQL)

In your case, you might need to work with SanitizeHTML().

Thanks & Regards,

Neha Agrawal

Thank you Jorge and Neha. I am familiar with EncodeHTML and SanitizeHTML() function. In my case I don't know when to use that function. I can't use that in Advance SQL and Can't find a way to do at Structure level(Output structure which will be populated by Advance SQL query) and Also not Anywhere where in Advance Excel APIs Which are basically just dumping the data in structure using Cell_WriteRange. Any thoughts?


-Chetan

Hi Chetan,

As per the description, we can simply add a local variable, sanitize it and then bind that variable to structure. Or you can also sanitize it for value expression while using Cell_WriteRange.
We would be able to help you in detail, if you can share your issue in detail maybe with an oml.

Thanks & Regards,

Neha Agrawal



mvp_badge
MVP
Solution

Hi Chetan Patil,

There is no simple and standard way of performing this operation at the database level, but it is fairly simple of implementing it in OutSystems.

Neha Agrawal's suggestion is valid: for your specific case you could perform that sanitization as you go when you pass the data to the Cell_WriteRange action.

A more generic alternative would be to sanitize the list's data upfront, as soon as it is returned. Basically what you would need to do is:

  1. Use the SQL tool to run your query;
  2. Use the For Each tool to iterate through the output of the SQLtool from 1. and, for each record:
    1. Use the Assigntool with a single assignment with the sanitization:
      • Variable is the HtmlString attribute (or whichever is the name of the attribute of your structure that holds the non-sanitized html string)
      • Value is SanitizeHTML(HtmlString)
    2. You have effectively updated the output list of your SQL with a sanitized version of the html strings.
  3. Continue with the remaining pre-existing logic, that will now be using sanitized data.

Hope this helps!


@Jorge Martins @Neha Agrawal yes already implemented using foreach and assignment operator. thanks for your inputs

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.