Question

validation on the fields

0

could any one help me on how to prevent the user from entering this kind of scripts on the fields !! <script>alert(1) </script>

asked 2020-06-21

Ayah Alquarshi

4 answers

Andries Smit · Answer 1 · 2020-06-22

Hi Ahay

Never trust user input. Though Mendix is doing some escaping for inputs, but this only works client side.

Lucky the standard components will escape the data fore displaying.

In some cases people show text in HTML snippet widget https://appstore.home.mendix.com/link/app/56/ which does not escape..

This risks cross side scripting, you can sanitize the input data with community commons function XSSSanitize

https://appstore.home.mendix.com/link/app/170/

Cheers, Andres

Hari sanker B · Answer 2 · 2020-06-22

You can use regular expression in a microflow against the corresponding filed. The expression depends on what all you can allow, if you have specific requirement of not allowing script tags only, you may use this :

<[^>]*script

Tim v Steenbergen · Answer 3 · 2020-06-22

Inserting code like

<script>javascript:alert('Inserted!');</script>

into a text box is javascript insertion. You do not need to handle this yourself. Mendix does that for you.

Do you have an example of a Mendix-application where the you succesfully trigger your inserted javascript alert?

Michiel Arts · Answer 4 · 2020-06-22

Mendix prevents execution of the script, but this does not mean that your are entirely safe in all conditions. A script you enter will be stored and can be sent to other systems via services for example. The other system could then execute the script.
And when you use appstore components or develop your own components, you are also not always safe.
See https://docs.mendix.com/howto/security/best-practices-security#3-avoiding-injection .