Skip to main content

Unsafe HTML/JavaScript removed in Stewardship Tier 7.4.2

Elizabeth Warden
  • Updated

In Stewardship Tier versions 7.4.1 or earlier, users were permitted to enter HTML and have it rendered in the UI or included in file downloads from the UI. There were no restrictions in place on what HTML/JavaScript text was permitted, leading to potentially dangerous cross-site scripting attacks. 

Places where users enter HTML are now sanitized using a third-party library: HtmlSanitizer. This library removes JavaScript and other unsafe or unknown HTML elements and attributes. Any remaining, safe HTML is displayed to users. 

This action is applied to places where users can enter HTML, which include the following:

  • HTML area
  • Dynamic page help
  • Dynamic page subtitle
  • Pre-Event messages
  • Validation messages
  • User messages

Use of HTML in these areas has been updated through the Stewardship Tier. Additionally, the following instances where HTML messages contained JavaScript have been updated to function without the use of JavaScript: 

  • Mass Maintenance | Request (Roles) page 

    When     users click the Validate button, if there are validation errors, a message appears that previously contained a link to the Request (Roles - Validations) page. Now, the message still appears, but the link has been removed and the message has been updated to indicate that the user must click the Failures icon to view the error report. 
  • Mass Maintenance  | Request (Roles - Validations) page

    The     button on the KEYS column has been replaced with an arrow icon that opens the data entry page in a new browser since a link can no longer be opened from a button without using JavaScript. 
  • Integrate | Template Report page

    The     Print icon was removed from the Template Report page because it was executing JavaScript. To print the Integrate Template report, use a Chrome extension, such as the Print Friendly & PDF extension. 
  • Integrate | Process Post page

    When     users click the Background Post icon on the Process Post page, a message still displays after the validation (before the background post begins) with a link to the Monitor page; however, the link is now an HTML URL that opens in a new browser tab.

Related articles