validation on the fields

could any one help me on how to prevent the user from entering this kind of scripts on the fields !! <script>alert(1) </script>        
4 answers

Hi Ahay

Never trust user input. Though Mendix is doing some escaping for inputs, but this only works client side.

Lucky the standard components will escape the data fore displaying. 

In some cases people show text in HTML snippet widget which does not escape..

This risks cross side scripting, you can sanitize the input data with community commons function XSSSanitize

Cheers, Andres



You can use regular expression in a microflow against the corresponding filed.  The expression depends on what all you can allow, if you have specific requirement of not allowing script tags only,  you may use this : 


Inserting  code like


into a text box  is javascript insertion. You do not need to handle this yourself. Mendix does that for you.

Do you have an example of a Mendix-application where the you succesfully trigger your inserted javascript alert?


Mendix prevents execution of the script, but this does not mean that your are entirely safe in all conditions. A script you enter will be stored and can be sent to other systems via services for example. The other system could then execute the script.
And when you use appstore components or develop your own components, you are also not always safe.
See  .