Allow/Block URLs

Note : To use this specific customization in your environment, please send a request to the VitaraCharts support team. All customization files are managed in a cloud environment by the support team."

Allow/Block URLs in the Vitara Charts

To address the requirement of having URLs in the VitaraCharts, we have made some enhancements

1. An option in the ‘global.txt’ file:

A property is included in the global.txt file. By using this property you can enable/disable the URLs in all the Answers /liveboards where VitaraCharts are used. Below is the screenshot of this property from the global.txt file.

The global.txt file can be located at the below path plugins\VitaraCharts\custom

Note: We have to configure the respective global.txt file for web and library applications.

security.allowURLLinks = 0 or 1. Setting 0 (zero) will not allow URLs used within the anchor tag ‘href’ property. With this setting enabled only anchor tag titles are allowed. While setting to value 1 (one) will enable URLs used within the anchor tag ‘href’ property. By default the value of the property security.allowURLLinks = 0. This means URLs in the VitaraCharts will not work.

Security Tab

Within the property editor of a specific chart, the Security tab allows you to control the URLs specific to that chart within a particular answers. This means you can fine-tune URL settings for each chart as needed. Below is a screenshot of this option:

By default, the ‘Allow URL Links’ is set to the value Default. This means the functioning of the URLs is governed by the property set in the global.txt file. If global.txt is = 0, then URLs will not work. Enable/Disable: Set the ‘Allow URL Links’ option to either Enable/Disable to allow URLs or block URLs in that particular chart.

Handling Relative URLs for XSS Protection

Allowed Relative URL Formats

When specifying relative URLs in the href or src attributes, they must start with a forward slash (/). This requirement ensures proper XSS (Cross-Site Scripting) encoding and enhances the security of your application.

Summary of URL Filtering Logic

To enforce the rule for relative URLs:

  1. Ensure the URL value starts with /.

  2. Trim any leading and trailing whitespace from the URL value.

  3. If the URL does not meet the criteria, replace it with an empty string to prevent XSS attacks.

Safe Attribute Function Implementation

The following function filters href and src attribute values to ensure they comply with allowed formats and prevent XSS attacks: "http://","https://","mailto:","tel:","data:image/","ftp://","./","../","#","/"

Important Notes

  • Starting Character: Ensure that all relative URLs start with a forward slash (/). This is essential for correct XSS encoding.

  • Trimming Whitespace: Trim leading and trailing whitespace from the URL value before validation.

  • Default Behavior: If a relative URL does not start with a forward slash, it is replaced with an empty string to prevent potential XSS attacks.

By adhering to these guidelines and implementing the provided function, you can mitigate the risk of XSS attacks through careful validation and filtering of relative URLs.

Note: If you do not configure the functioning of URLs using any of the above methods, VitaraCharts will block all the URLs.

PreviousAdd as FilterNextAnimation

Last updated