I have a web block that contains a link. I want this link to redirect to an external site when clicked, but the destination needs to be different depending on which screen the web block is used in.
At first I attached an event to the link, then gave it a handler in the parent screen that redirects to the external site. But when a user mouses over the link on the page, it shows a preview of "javascript:void(0)". I'd prefer it to show the actual link, if possible.
To fix the preview issue, I tried giving the block an input parameter to pass the URL to the link directly. But this causes Service Studio to raise a warning on the input that says "Redirecting to a URL coming from a screen input parameter makes your application vulnerable to open redirect attacks."
In Traditional Web this issue can be solved with the ReplaceURLDomain() function, but I can't seem to find a client-side equivalent. However, I note that this warning specifies screen input parameters, not blocks. Assuming I pass the URL into the block from, say, a data action, would this still be safe?
Alternatively, does anyone know of a different way to solve the issue?
Thanks for your help.
Hi Terry,
As suggestion, why can't the web block handle the logic to gather the URL based on a specific input ? Let's say you have multiple services and according to the selected service you are redirected to a specific page and there is a common behavior (the link) on the pages as you mentioned. Why not create a reusable WB as you did but instead of being the parent (pages) doing the logic we let the web block do it? The web block should receive the "service id" and using that get the configured URL.Best Regards,
Diogo Romero
Hi,
I have the same question and since this one wasn't answered I will also try to illustrate my example.
I also get the following warning: "Redirecting to a URL coming from a screen input parameter makes your application vulnerable to open redirect attacks."
In my case I am using an input parameter in the block but is is being set with values NOT from the URL as seen in the example below:
I know this doesn't prevent the user from mistakenly assigning a screen input parameter to the block's input field but my question is: if we don't use screen input parameters, is the application still at risk? In other words, can someone still manipulate the block's input parameter?
Thanks in advance.
Regards,
Ricardo