By default, the Web Application and Scheduler Services scan and remove unsafe HTML tags from any user input. User input areas include report cells, report descriptions, filter fields, and so on. This is to protect the application from any potential script injection attacks. Removing unsafe tags is referred to as a blacklist approach, because input is filtered against a blacklist of tags which are deemed unsafe.
Instead all HTML tags can be removed except those specifically deemed are safe. This is referred to as a whitelist approach. This can have a more unpredictable effect on user input, but it is generally safer if script injection attacks are a concern.
NoteHTML formatting generated by the application, such as the Report Viewer, is not vulnerable to script injection.
Enabling Whitelist Filtering
To filter user input by a whitelist:
NoteThis article references
<WebApp>
,<Sched>
as a placeholder for the application's install location and the Scheduler Service's install location, respectively.
- Edit the appropriate appSettings file in a text or XML editor:
- Web Application:
<WebApp>\appSettings.config
- Scheduler Application:
<Sched>\eWebReportsScheduler.exe.config
- Web Application:
- Add the following node between the
<appSettings> </appSettings>
tags:<add key="inputSanitizationMethod" value="Aggressive" />
- Restart the application or service.
Editing the Whitelist v2016.3.7+
To view and edit the tag whitelists, edit the appropriate whitelist file in a text editor. The whitelist files contain a JSON-formatted array of strings. To learn more about JSON, see Using JSON. To strip all HTML tags from user input, remove all the tags from the tagwhitelist.json
file:
- Web Application:
<WebApp>\Config\Other\tagwhitelist.json
- Scheduler Application:
<Sched>\bin\tagwhitelist.json
Be cautious about adding potentially unsafe tags such as <input> and <iframe> to the whitelist. Removing HTML tags from the whitelist may cause existing reports to display incorrectly.