Skip to main content
P
pgupta175-Regular Member
5-Regular Member
December 1, 2018
Solved

How to remove html injection in ThingWorx applications?

  • December 1, 2018
  • 1 reply
  • 2126 views

How to remove html injection in ThingWorx applications?

Best answer by zyuan1

TWX uses scripts that shares the same logic with Javascript, but you will never see <title></title> in real TWX script coding areas, thus you don't need to worry about the symbols like < in here, and it works as Smaller Than.

1 reply

Z
zyuan15-Regular Member
5-Regular Member
December 3, 2018

Hi,

 

Can you offer an example for HTML injection that could perform in TWX? 

 

There are several ways to block the potential injection since JavaScript in Mashup is not independent, and it does not have access to all information.

 

You can form the services and subscription codes smartly to avoid injection;

You can carefully assign the Login User Runtime permission to disable the access;

The name of the entities that stores important data should not be told to outsiders so hackers can't find the object to refer to;

Some data are stored inside the External Database and controlled by SQL services, don't open this access to the Mashup directly.

 

These are the steps I can think of for the moment.

P
pgupta175-Regular MemberAuthor
5-Regular Member
December 3, 2018

How it may be possible to block any input containing HTML metacharacters such as < and >. Alternatively, how these characters can be replaced with the corresponding entities: &lt; and &gt; ?

Z
zyuan15-Regular MemberAnswer
5-Regular Member
December 3, 2018

TWX uses scripts that shares the same logic with Javascript, but you will never see <title></title> in real TWX script coding areas, thus you don't need to worry about the symbols like < in here, and it works as Smaller Than.

Terms & ConditionsCookie settingsAccessibility statement