Skip to main content

HTML Tag Sanitation

  • Updated

HTML Tag Sanitation

By default, the Web Application and Scheduler Services scan and remove unsafe HTML tags from any user input. User input areas include report cells, report descriptions, filter fields, and so on. This is to protect the application from any potential script injection attacks. Removing unsafe tags is referred to as a blacklist approach, because input is filtered against a blacklist of tags which are deemed unsafe.

Instead allHTML tags can be removed except those specifically deemed are safe. This is referred to as a white list approach. This can have a more unpredictable effect on user input, but it is generally safer if script injection attacks are a concern.

HTML formatting generated by the application, such as the Report Viewer, is not vulnerable to script injection.

Enabling White list Filtering

To filter user input by a white list:

light bulb

This topic references <WebApp>/, <WebSvc>/ and <Sched>/as a placeholder for the Web Application, Web Service API and Scheduler Service's install location respectively. The default install location is C:\Program Files\Exago\ExagoWeb\ (/opt/Exago/ on Linux), C:\Program Files\Exago\ExagoWebApi\ ( /opt/Exago/WebServiceApi/ on Linux) or C:\Program Files\Exago\ExagoScheduler\ (/opt/Exago/Scheduler/ on Linux); however, these directories can be changed during installation.

  1. Edit the appropriate appSettings file in a text or XML editor:
    • Web Application: <WebApp>\appSettings.config
    • Scheduler Application: <Sched>\eWebReportsScheduler.exe.config
  2. Add the following node between the <appSettings> </appSettings> tags: 
    <add key="inputSanitizationMethod" value="Aggressive" />
  3. Restart the application or service.

Editing the White list v2016.3.7+

To view and edit the tag white lists, edit the appropriate white list file in a text editor. The white list files contain a JSON-formatted array of strings. To strip all HTML tags from user input, remove all tags from the tagwhitelist.json files:

  • Web Application: <WebApp>\Config\Other\tagwhitelist.json
  • Scheduler Service: <Sched>\bin\tagwhitelist.json

Be cautious about adding potentially unsafe tags such as <input> and <iframe> to the white list. Removing HTML tags from the white list may cause existing reports to display incorrectly.

Related articles