cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
MZSR
Level: Powered On

Confusion around client-scripting in PowerApps

Hi,

 

My colleagues from Information Security have raised concerns around users having the ability to insert client-scripting (JavaScript) to PowerApps. My assumption was that the UI is intended to be a no-code surface for building apps without code, but this seems to apply to canvas apps only. Model-driven apps allow this?

 

https://docs.microsoft.com/en-us/powerapps/developer/model-driven-apps/client-scripting

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
MZSR
Level: Powered On

Re: Confusion around client-scripting in PowerApps

I just noticed creating or running model-driven apps requires a PowerApps Plan 2 license, which would already tackle the issue for us (we do not foresee to assign this license to many users).

View solution in original post

5 REPLIES 5
MZSR
Level: Powered On

Re: Confusion around client-scripting in PowerApps

Shameless bump. Smiley Very Happy

Community Support Team
Community Support Team

Re: Confusion around client-scripting in PowerApps

Hi @MZSR,

 

The client-scripting is something similar to the behavior formula mentioned in Canvas Apps.

Which is mostly applies to the Model-Driven App actions/Events, such as

a form loads, or Data changes.

A detailed explanation is as below:

"

An event occurs in Customer Engagement forms whenever:

  • A form loads
  • Data is changed in a field or an item within the form
  • Data is saved in a form

You can attach your JavaScript code to "react" to these events so that your code gets executed when the event occurs on the form. You attach your JavaScript code (scripts) to these events by using a Script web resource in Customer Engagement.

"

More information see:

Client scripting in CUstomer Engagement using JavaScript

 

For what operations could be done through the client-scripting, see:

Understand the CLient API object model

 

Regards,

Michael

 

Community Support Team _ Michael Shao
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
MZSR
Level: Powered On

Re: Confusion around client-scripting in PowerApps

Thank you Michael, that helps! Assuming this is not just limited to specific operations or libraries, from a security point of view, would you see any potential threat in using this?

 

We've had many discussions in the past internally around the use of active code and potential Cross-Site Scripting (XSS) attacks, and I'm trying to better understand if this is a valid concern for PowerApps.

MZSR
Level: Powered On

Re: Confusion around client-scripting in PowerApps

I just noticed creating or running model-driven apps requires a PowerApps Plan 2 license, which would already tackle the issue for us (we do not foresee to assign this license to many users).

View solution in original post

PowerApps Staff HemantG
PowerApps Staff

Re: Confusion around client-scripting in PowerApps

Hi MZSR,

Please reach out to me (hemantg@microsoft.com) for discussion on this. In short any customization which has the client script added to the app (currently model and future canvas) needs to be reviewed and imported only by customizer and above roles. Users below this level of privelege cannot add any scipt whether web resources or custom controls. 

 

 

Hemant 

Helpful resources

Announcements
thirdimage

Power Automate Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

sixthImage

Power Platform World Tour

Find out where you can attend!

Power Platform 2019 release wave 2 plan

Power Platform 2019 release wave 2 plan

Features releasing from October 2019 through March 2020

fifthimage

Microsoft Learn

Learn how to build the business apps that you need.

Top Kudoed Authors
Users Online
Currently online: 350 members 5,925 guests
Please welcome our newest community members: