Exago Logo
Search
Generic filters
Exact matches only

HTML Tag Sanitization

By default, the Web Application and Scheduler Services scan and remove unsafe HTML tags from any user input. User input areas include report cells, report descriptions, filter fields, and so on. This is to protect the application from any potential script injection attacks. Removing unsafe tags is referred to as a blacklist approach, because input is filtered against a blacklist of tags which are deemed unsafe.

Instead all HTML tags can be removed except those specifically deemed are safe. This is referred to as a whitelist approach. This can have a more unpredictable effect on user input, but it is generally safer if script injection attacks are a concern.

HTML formatting generated by the application, such as the Report Viewer, is not vulnerable to script injection.

Enabling Whitelist Filtering

To filter user input by a whitelist:

Note

This article references <WebApp>, <Sched> as a placeholder for the application’s install location and the Scheduler Service’s install location, respectively.

  1. Edit the appropriate appSettings file in a text or XML editor:
    • Web Application: <WebApp>appSettings.config
    • Scheduler Application: <Sched>eWebReportsScheduler.exe.config
  2. Add the following node between the <appSettings> </appSettings> tags:
    <add key="inputSanitizationMethod" value="Aggressive" />
  3. Restart the application or service.

Editing the Whitelist v2016.3.7+

To view and edit the tag whitelists, edit the appropriate whitelist file in a text editor. The whitelist files contain a JSON-formatted array of strings.To strip all HTML tags from user input, remove all tags from the tagwhitelist.json files:

Tip

To learn more about JSON, refer to the Using JSON article.

  • Web Application: <WebApp>ConfigOthertagwhitelist.json
  • Scheduler Service: <Sched>bintagwhitelist.json

Be cautious about adding potentially unsafe tags such as <input> and <iframe> to the whitelist. Removing HTML tags from the whitelist may cause existing reports to display incorrectly.

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.
Table of Contents