Community Tip - Stay updated on what is happening on the PTC Community by subscribing to PTC Community Announcements. X
How to remove html injection in ThingWorx applications?
Solved! Go to Solution.
TWX uses scripts that shares the same logic with Javascript, but you will never see <title></title> in real TWX script coding areas, thus you don't need to worry about the symbols like < in here, and it works as Smaller Than.
Hi,
Can you offer an example for HTML injection that could perform in TWX?
There are several ways to block the potential injection since JavaScript in Mashup is not independent, and it does not have access to all information.
You can form the services and subscription codes smartly to avoid injection;
You can carefully assign the Login User Runtime permission to disable the access;
The name of the entities that stores important data should not be told to outsiders so hackers can't find the object to refer to;
Some data are stored inside the External Database and controlled by SQL services, don't open this access to the Mashup directly.
These are the steps I can think of for the moment.
How it may be possible to block any input containing HTML metacharacters such as < and >. Alternatively, how these characters can be replaced with the corresponding entities: < and > ?
TWX uses scripts that shares the same logic with Javascript, but you will never see <title></title> in real TWX script coding areas, thus you don't need to worry about the symbols like < in here, and it works as Smaller Than.
Hi @pgupta17.
If one of the previous responses answered your questions, please mark the appropriate one as the Accepted Solution for the benefit of others with the same question.
Regards.
--Sharon