0

HTML Data Escaping

  • updated 3 yrs ago

Introduction

When your application exchanges data between LogicNets and external systems using the ApplicationRunner web service, there are some considerations you should take into account to ensure the security of your application. This topic discusses them.

LogicNets HTML-Unescapes Imported XML Element Values

LogicNets assumes that all element values are HTML-escaped, because the value could otherwise be interpreted as XML elements. LogicNets will unescape all values to obtain the actual intended value. This means that you need to take special care when using these values as displayed data on the frontend and in the model.

If the data needs to be displayed without being interpreted as HTML by the browser, you will need to double-escape the value. For example, this single-escaped value:

 

will become the following in LogicNets:

 

and it will be displayed as 'valid' HTML, hiding the div elements and activating the possible CSS styling. The value will display as Some Styled Text.

If the value should be displayed as a literal string that shows the div elements, you need to double-escape the value:


 

LogicNets HTML-Escapes UI Values

LogicNets stores all values of regular inputs as HTML-escaped values. We do this to prevent displaying these values that might break or modify other HTML content. And we do it to prevent malicious code from being executed in the browser.

LogicNets' generic data exchange processing has no real knowledge about if the content should be escaped once or multiple times. This means that consuming systems that process these values need to know what the data is intended for or the modeling must take care to correctly escape values.

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 3 yrs agoLast active
  • 21Views
  • 3 Following

Home