cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
opticshrew
Helper II
Helper II

HTML Injection Vulnerability

I have a Power App Portal that uses a comments/notes section to enable users to submit chat. A user could potentially write HTML into this input with external links etc. as a result the site is open to attack.

 

Is there a way to prevent HTML code being injected into Portal Notes?

1 ACCEPTED SOLUTION

Accepted Solutions
opticshrew
Helper II
Helper II

@ragavanrajan 

Spent the best part of today figuring out the best approach and it seems this is a vulnerability of the platform the best way to mitigate this risk is by removing the note functionality. This isn't the solution I wanted as losing this feature impacts the platform and service provided.

 

To reduce risk exposure, I've created a Cloud Flow that converts HTML to Text which takes roughly 59ms to complete. It's quick enough so that other users have less of a chance of seeing the suspect message. Ideally we'd prevent this on entry but this does not look feasible at this time.

View solution in original post

5 REPLIES 5
ragavanrajan
Super User
Super User

Hi @opticshrew 

 

By Default JS extension is blocked in Portals. I believe even if you refer to a third-party JS library in your HTML. Portals will prevent JS extension. 

 

To confirm try the following

 

In Portal management: 

 

1. Settings > Advanced Settings 

2. Under Administration > System Settings > General 

3. Make sure JS is added on the list 

 

ragavanrajan_0-1659950357021.png

 

Trace the Network call to see if your attached HTML is making a call to a third-party API. 

 

Hope it helps. 
------------

If you like this post, give it a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users to find it.

 

opticshrew
Helper II
Helper II

@ragavanrajan not sure that resolves the issue, here's what we want to prevent.Screenshot 2022-08-08 105719.png

opticshrew
Helper II
Helper II

@ragavanrajan 

Spent the best part of today figuring out the best approach and it seems this is a vulnerability of the platform the best way to mitigate this risk is by removing the note functionality. This isn't the solution I wanted as losing this feature impacts the platform and service provided.

 

To reduce risk exposure, I've created a Cloud Flow that converts HTML to Text which takes roughly 59ms to complete. It's quick enough so that other users have less of a chance of seeing the suspect message. Ideally we'd prevent this on entry but this does not look feasible at this time.

Hey @opticshrew 

 

Thanks for sharing the solution. Power Automate can be helpful in critical situations. 

 

 

Fubar
Solution Sage
Solution Sage

In the old days HTML would have been rejected by the Portal, however more recently they have allowed the use of Rich Text (https://docs.microsoft.com/en-us/power-apps/maker/portals/component-rte-tutorial) which allows HTML - as per the link for other Basic Forms etc you have to enable it, not sure if there is way to disable it on the Notes (but this may depend on how you have it setup also). 

 

(also, their was also a Site Setting - name escapes me at the moment - that would allow you to turn off the field validation so you could intentionally receive  HTML etc but it came with the caveat that you were potentially opening an injection hole and that if you used the setting you were responsible for parsing all data submissions via plugins etc )

Helpful resources

Announcements
Microsoft 365 Conference – December 6-8, 2022

Microsoft 365 Conference – December 6-8, 2022

Join us in Las Vegas to experience community, incredible learning opportunities, and connections that will help grow skills, know-how, and more.

Top Kudoed Authors
Users online (5,276)