Allow/Block URLs
Last updated
Last updated
To address the requirement of having URLs in the VitaraCharts, we have made some enhancements in the 5.1.3 release.
A property is included in the global.txt file. By using this property you can enable/disable the URLs in all the dossiers/documents where VitaraCharts are used. Below is the screenshot of this property from the global.txt file.
For the MSTR web application, the global.txt file can be located at the below path *webapps\MicroStrategy\plugins\VitaraCharts\custom*
For the MSTR Library application, the global.txt file can be located at the below path *webapps\MicroStrategyLibrary\plugins\VitaraCharts\custom*
Note: You have to configure the respective global.txt file for web and library applications.
security.allowURLLinks = 0 or 1. Setting 0 (zero) will not allow URLs used within the anchor tag ‘href’ property. With this setting enabled only anchor tag titles are allowed. While setting to value 1 (one) will enable URLs used within the anchor tag ‘href’ property. By default the value of the property security.allowURLLinks = 0. This means URLs in the VitaraCharts will not work.
The properties window of all the VitaraCharts will now have the option to control the URLs within that particular chart. This means the global.txt file can be used to control the URLs globally in all VitaraCharts used in any of the dossiers or documents. Whereas, the Security tab property in the property editor of a specific chart is used to control the URLs in that particular chart in the particular dossier/document. Below is the screenshot of this option.
By default, the ‘Allow URL Links’ is set to the value Default. This means the functioning of the URLs is governed by the property set in the global.txt file. If global.txt is = 0, then URLs will not work. Enable/Disable: Set the ‘Allow URL Links’ option to either Enable/Disable to allow URLs or block URLs in that particular chart.
When specifying relative URLs in the href or src attributes, they must start with a forward slash (/). This requirement ensures proper XSS (Cross-Site Scripting) encoding and enhances the security of your application.
To enforce the rule for relative URLs:
Ensure the URL value starts with /.
Trim any leading and trailing whitespace from the URL value.
If the URL does not meet the criteria, replace it with an empty string to prevent XSS attacks.
The following function filters href and src attribute values to ensure they comply with allowed formats and prevent XSS attacks: "http://","https://","mailto:","tel:","data:image/","ftp://","./","../","#","/"
Starting Character: Ensure that all relative URLs start with a forward slash (/). This is essential for correct XSS encoding.
Trimming Whitespace: Trim leading and trailing whitespace from the URL value before validation.
Default Behavior: If a relative URL does not start with a forward slash, it is replaced with an empty string to prevent potential XSS attacks.
By adhering to these guidelines and implementing the provided function, you can mitigate the risk of XSS attacks through careful validation and filtering of relative URLs.
Note: If you do not configure the functioning of URLs using any of the above methods, VitaraCharts will block all the URLs.
