By default, the web application and schedulers scan and remove unsafe HTML tags from any user input. User input areas include report cells, report descriptions, filter fields, and so on. This is to protect the applications from any potential script injection attacks. Removing unsafe tags is referred to as a blacklist approach, because input is filtered against a blacklist of tags which are deemed unsafe.
You can choose instead to remove all HTML tags except those you specifically deem are safe. This is referred to as a whitelist approach. This can have a more unpredictable effect on user input, but it is generally safer if script injection attacks are a concern.
Note. HTML formatting generated by the application, such as the built-in report viewer, is not vulnerable to script injection.
To filter user input by a whitelist:
- Edit the appropriate appSettings file in a text or XML editor:
- Web Application:
{webAppInstallDir}\appSettings.config - Scheduler Application:
{schedulerInstallDir}\eWebReportsScheduler.exe.config
- Web Application:
- Add the following text between the
<appSettings> </appSettings>tags:<add key="inputSanitizationMethod" value="Aggressive" />
- Restart the application or service.
(v2016.3.7+) To view and edit the tag whitelists, edit the appropriate whitelist file in a text editor:
- Web Application:
{webAppInstallDir}\Config\Other\tagwhitelist.json - Scheduler Application:
{schedulerInstallDir}\tagwhitelist.json
Note. The whitelist files contain a JSON-formatted array of strings. To learn more about JSON, see Using JSON. Be cautious about adding potentially unsafe tags such as <input> and <iframe> to the whitelist. Removing HTML tags from the whitelist may cause existing reports to display incorrectly.
To strip all HTML tags from user input, remove all the tags from the tagwhitelist.json file.