I have a Power App Portal that uses a comments/notes section to enable users to submit chat. A user could potentially write HTML into this input with external links etc. as a result the site is open to attack.
Is there a way to prevent HTML code being injected into Portal Notes?
Solved! Go to Solution.
@ragavanrajan
Spent the best part of today figuring out the best approach and it seems this is a vulnerability of the platform the best way to mitigate this risk is by removing the note functionality. This isn't the solution I wanted as losing this feature impacts the platform and service provided.
To reduce risk exposure, I've created a Cloud Flow that converts HTML to Text which takes roughly 59ms to complete. It's quick enough so that other users have less of a chance of seeing the suspect message. Ideally we'd prevent this on entry but this does not look feasible at this time.
Hi @opticshrew
By Default JS extension is blocked in Portals. I believe even if you refer to a third-party JS library in your HTML. Portals will prevent JS extension.
To confirm try the following
In Portal management:
1. Settings > Advanced Settings
2. Under Administration > System Settings > General
3. Make sure JS is added on the list
Trace the Network call to see if your attached HTML is making a call to a third-party API.
Hope it helps.
------------
If you like this post, give it a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users to find it.
@ragavanrajan not sure that resolves the issue, here's what we want to prevent.
@ragavanrajan
Spent the best part of today figuring out the best approach and it seems this is a vulnerability of the platform the best way to mitigate this risk is by removing the note functionality. This isn't the solution I wanted as losing this feature impacts the platform and service provided.
To reduce risk exposure, I've created a Cloud Flow that converts HTML to Text which takes roughly 59ms to complete. It's quick enough so that other users have less of a chance of seeing the suspect message. Ideally we'd prevent this on entry but this does not look feasible at this time.
Hey @opticshrew
Thanks for sharing the solution. Power Automate can be helpful in critical situations.
In the old days HTML would have been rejected by the Portal, however more recently they have allowed the use of Rich Text (https://docs.microsoft.com/en-us/power-apps/maker/portals/component-rte-tutorial) which allows HTML - as per the link for other Basic Forms etc you have to enable it, not sure if there is way to disable it on the Notes (but this may depend on how you have it setup also).
(also, their was also a Site Setting - name escapes me at the moment - that would allow you to turn off the field validation so you could intentionally receive HTML etc but it came with the caveat that you were potentially opening an injection hole and that if you used the setting you were responsible for parsing all data submissions via plugins etc )