HTML inspectors
There are several inspectors that facilitate the generation of HTML text from string literals and property results. These inspectors have the type html that allows special characters, such as angle brackets and ampersands, to be properly escaped. Neglecting to escape these characters when you output text that is based on user input or database content can lead to cross-site scripting vulnerabilities. Using these inspectors, you can safely format HTML strings with any regular query. For example:
<?relevance name of company?>
If name of company is be Big&Bad, the processing instruction is replaced in the HTML with the properly escaped string:
Big&BadYou can include an "as html" cast explicitly to ensure that special characters print properly, rather than being interpreted as markup:
<?relevance "<h1>Heading</h1>" as html?>
This expression returns:
"<h1>Heading</h1>"There are some situations where escaping reserved characters is not appropriate. The most common cases are where you have a literal HTML string, or properties whose type is string but that already produce appropriately formatted HTML. In these cases, you can use the html indexed property:
<?relevance html "<h1>Heading</h1>"?>This phrase results in:
"<h1>Heading</h1>"Depending on how the dashboard is used, try to avoid the use of the html indexed property that potentially allows a script insertion attack. As an alternative, consider creating your own expressions by concatenating strings and html. For example, the following two expressions return the same result:
<?relevance html "<h1>" & name of company & html "</h1>"?>
<?relevance concatenation of (html "<h1>"; name of company as html; html "</h1>")?>These lines return the following:
"<h1>Big&Bad</h1>"Because items in a list must all have the same type, the following does not work:
<?relevance concatenation of (html "<h1>"; name of company; html "</h1>")?>This code chunk produces the error: Incompatible types (html and string) because the company name was not cast as html.