cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can Bookmark boards, posts or articles that you'd like to access again easily! X

QueryThingExtension no longer works

tcoufal
12-Amethyst

QueryThingExtension no longer works

Hi there,

We kind a have a problem here. 

We successfully upgraded to Thingworx 8.4. We have found that QueryThing extension (queryExecute mashups to be more precise) no longer works as expected. Buttons are gone and we cannot export displayed data to excel nor as csv. 

We are using that extension and we have to make it work again. I have noticed that this extension is no longer present on the marketplace. I have narrowed it down to HTML text area. The whole output that needs to be displayed is generated via service getQueryResultAsHtml which returns HTML code. That code goes to HTML text area marked as readonly. On previous versions of ThingWorx (namely 7.3.8) that widget (HTML area) had not perform any safety measures (I guess) and appended the whole content to DOM. It was not very safe, but very convenient and powerful. These days are gone. 

I tried simple <script>alert()</script>. No longer works. I would be able to circumvent this issue with Expression widget, but hey that is now also very "save", it wont allow me to use almost anything. 

Only solution that comes to mind is to use old HTML Text area widget create a manifest file and make some sort of HTML Legacy area, but if there is also another safety feature above that I cannot tell and it would not be working. 

Does anyone has a better idea? 

Please? 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
slangley
23-Emerald II
(To:tcoufal)

Hi @tcoufal.

 

Just to clarify, you are using a Marketplace extension that is no longer available, correct?  We did pull down several extensions for review and it is not clear yet if these extensions will be updated and re-posted.

 

If you created the extension yourself, we would recommend referring to this documentation for updating the extension to work with your ThingWorx version.  It's not recommended that the security be circumvented.

 

Regards.

 

--Sharon

View solution in original post

4 REPLIES 4
tcoufal
12-Amethyst
(To:tcoufal)

Edit:

I have found that all html are sanitized (before they used) via twHtmlUtilities.js (xss resources) which than calls service sanitizeHtml in SecurityFunctions under Thingworx resources. This collection has no configuration so it cannot be changed as far as I can see (I will check the platform settings). 

However I have noticed that if there is a iFrame widget it is sandboxed and html is not sanitizied.

I have tried the WebFrame widget and called the service directly via URL. 

It always returns that Thingworx Logo and labels and frame (see picture) which I can get rid off. 

I need only content of that service (or property) I tried all Accept header combinations, JSON also returns definition, HTML in XML is not valid, that cannot be even set. CSV is downloaded imidiatelly. I am pretty much stuck at this moment. Can someone provide some workaround how to get only the content of ones` property or only the content of service result without that bs?   

 

slangley
23-Emerald II
(To:tcoufal)

Hi @tcoufal.

 

Just to clarify, you are using a Marketplace extension that is no longer available, correct?  We did pull down several extensions for review and it is not clear yet if these extensions will be updated and re-posted.

 

If you created the extension yourself, we would recommend referring to this documentation for updating the extension to work with your ThingWorx version.  It's not recommended that the security be circumvented.

 

Regards.

 

--Sharon

tcoufal
12-Amethyst
(To:slangley)

Yes, etension that was on the marketplace. 

I was able to workaround it, but would be great if PTC would do it officially. 

 

 

slangley
23-Emerald II
(To:slangley)

Hi @tcoufal.

 

If you like to see this supported as an out-of-the-box extension, please post your idea on the ThingWorx Ideas board.  This will allow others to vote for which can increase it's changes of being accepted for a future release.

 

Regards.

 

--Sharon

Top Tags