Date: Thu, 28 Mar 2024 08:54:01 +0000 (UTC) Message-ID: <1547839784.10595.1711616041324@911f0a1bad02> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_10594_1727418437.1711616041324" ------=_Part_10594_1727418437.1711616041324 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Cross-Site Scripting (XSS) is an attack to a website where data = that contains scripts is executed and malicous code created by one user may= be run by another user.
Servoy will sanitize all data that is shown in the WebClient and the NGC= lient to prevent this in Servoy solutions.
A solution allows a user to register users and has a form for backoffice= handling that lists all users.
When the user registers with a name that contains scripting 'John<= ;script>doSomethingBad()</script>Doe', Servoy will not execut= e the script but will sanitize the data and just show 'John Doe'.<= /p>
In some situations data used in elements contains html that has to be sh= own as-is.
Only in cases where the source of the html can be fully trusted, an elem= ent should be configured to disable sanitizing.
This is done via the UI_PROPERTY.TRUST_DATA_AS_HTML client prop= erty on an element:
elements.u= sernameLabel.putClientProperty(APP_UI_PROPERTY.TRUST_DATA_AS_HTML, true);= pre>=20
When this property is set on an element, data from its dataProvider will= be trusted and not sanitized.
Alternatively, sanitizing of data can be turned off for the entire runni= ng client by applying the same property on the application node:
applicatio= n.putClientProperty(APP_UI_PROPERTY.TRUST_DATA_AS_HTML, true);=20
Using this at application level is highly discouraged, your syst= em may be vulnerable to XSS attacks.
For more information see UICONSTAN=
TS.