As part of a wide-ranging product review for the 9.0 release of ThingWorx, PTC has decided to remove a range of functionality due both to limited market adoption and a continuing effort to harden the security of the ThingWorx platform. Thus, for ThingWorx 9.0, PTC will be removing the following capabilities:
• The ability to use rich text in the Composer “Documentation” field (existing rich text will be displayed as raw HTML);
• The ability to use rich text in blogs and wikis in Mashup Builder (existing rich text will be displayed as raw HTML);
• The ability to edit HTML text in mashup builder. ThingWorx users will still be able to employ a service to import HTML content if desired.
Please prepare for these coming changes as appropriate. Thanks!
Anyway, where is the security problem? A developer with browser developer tools can do almost anything on the browser side, no need to have HTML Rich Text edition feature to break the security.
Thanks for the update on the future plans,
Hi Carles. For the 9.0 release, we have eliminated the rich text functionality of blogs and wikis at runtime due to the aforementioned security concerns. An internal analysis led us to this course of action, but unfortunately, I can't get into details on this public forum.
Then which it's the solution for us? as we widely use it as aforementioned:
If it's not on TW 9.0, then we won't be able to upgrade, you should provide a path or something, for our customers will be a downgrade/downfeature and they won't accept it.
Thanks in advance, we can provide you and development / product team a demo of our platform to see what feature you are killing. We already did on the past, still I never had success but I can keep trying, as @Aanjan , @mhollenbach and @aressler know...
Hi Carles - unfortunately this isn't functionality we are planning to continue providing in ThingWorx. We wanted to give potentially impacted users a heads up in advance through this post.
We found in the upgrade from 8.3.8 to 8.3.10 that some changes, such as editing the HTML text and changes in how certain elements (span) are handled, were already made to the HTML Text Editor which is restricting us from upgrading to the new patch release. I'd recommend PTC provides a method for customers that do not have security concerns a way to still use the existing HTML Text Editor widget.
Do you have a markup language, perhaps like github's markup? Please excuse if I am missing the point. https://guides.github.com/features/mastering-markdown/
Agreed about security. You would be doing this to make XSS and CSRF attacks more difficult?
Thanks -- Rick
Rick - thanks for the note. ThingWorx does not have an equivalent to the GitHub markup language. Unfortunately, I can’t comment directly on what type of security risks we are trying to counteract.