Solved: Re: HTML Injection Vulnerability

opticshrew · ‎08-08-2022

I have a Power App Portal that uses a comments/notes section to enable users to submit chat. A user could potentially write HTML into this input with external links etc. as a result the site is open to attack.

Is there a way to prevent HTML code being injected into Portal Notes?

opticshrew · ‎08-08-2022

@ragavanrajan

Spent the best part of today figuring out the best approach and it seems this is a vulnerability of the platform the best way to mitigate this risk is by removing the note functionality. This isn't the solution I wanted as losing this feature impacts the platform and service provided.

To reduce risk exposure, I've created a Cloud Flow that converts HTML to Text which takes roughly 59ms to complete. It's quick enough so that other users have less of a chance of seeing the suspect message. Ideally we'd prevent this on entry but this does not look feasible at this time.

View solution in original post

ragavanrajan · ‎08-08-2022

Hi @opticshrew

By Default JS extension is blocked in Portals. I believe even if you refer to a third-party JS library in your HTML. Portals will prevent JS extension.

To confirm try the following

In Portal management:

1. Settings > Advanced Settings

2. Under Administration > System Settings > General

3. Make sure JS is added on the list

Trace the Network call to see if your attached HTML is making a call to a third-party API.

Hope it helps.
------------

If you like this post, give it a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users to find it.

opticshrew · ‎08-08-2022

@ragavanrajan not sure that resolves the issue, here's what we want to prevent.

opticshrew · ‎08-08-2022

@ragavanrajan

Spent the best part of today figuring out the best approach and it seems this is a vulnerability of the platform the best way to mitigate this risk is by removing the note functionality. This isn't the solution I wanted as losing this feature impacts the platform and service provided.

To reduce risk exposure, I've created a Cloud Flow that converts HTML to Text which takes roughly 59ms to complete. It's quick enough so that other users have less of a chance of seeing the suspect message. Ideally we'd prevent this on entry but this does not look feasible at this time.

ragavanrajan · ‎08-08-2022

Hey @opticshrew

Thanks for sharing the solution. Power Automate can be helpful in critical situations.

Fubar · ‎08-08-2022

In the old days HTML would have been rejected by the Portal, however more recently they have allowed the use of Rich Text (https://docs.microsoft.com/en-us/power-apps/maker/portals/component-rte-tutorial) which allows HTML - as per the link for other Basic Forms etc you have to enable it, not sure if there is way to disable it on the Notes (but this may depend on how you have it setup also).

(also, their was also a Site Setting - name escapes me at the moment - that would allow you to turn off the field validation so you could intentionally receive HTML etc but it came with the caveat that you were potentially opening an injection hole and that if you used the setting you were responsible for parsing all data submissions via plugins etc )

HTML Injection Vulnerability

Helpful resources

Check out the Community Blog

Introducing the Community Calls Conversations

What's New in the Community?