Allow/Block URLs
Note : To use this specific customization in your environment, please send a request to the VitaraCharts support team. All customization files are managed in a cloud environment by the support team."
Allow/Block URLs in the Vitara Charts
To address the requirement of having URLs in the VitaraCharts, we have made some enhancements
1. An option in the ‘global.txt’ file:
A property is included in the global.txt file. By using this property you can enable/disable the URLs in all the Answers /liveboards where VitaraCharts are used. Below is the screenshot of this property from the global.txt file.
The global.txt file can be located at the below path plugins\VitaraCharts\custom
Note: We have to configure the respective global.txt file for web and library applications.
security.allowURLLinks = 0 or 1. Setting 0 (zero) will not allow URLs used within the anchor tag ‘href’ property. With this setting enabled only anchor tag titles are allowed. While setting to value 1 (one) will enable URLs used within the anchor tag ‘href’ property. By default the value of the property security.allowURLLinks = 0. This means URLs in the VitaraCharts will not work.
Security Tab
Within the property editor of a specific chart, the Security tab allows you to control the URLs specific to that chart within a particular answers. This means you can fine-tune URL settings for each chart as needed. Below is a screenshot of this option:

By default, the ‘Allow URL Links’ is set to the value Default. This means the functioning of the URLs is governed by the property set in the global.txt file. If global.txt is = 0, then URLs will not work. Enable/Disable: Set the ‘Allow URL Links’ option to either Enable/Disable to allow URLs or block URLs in that particular chart.
Handling Relative URLs for XSS Protection
Allowed Relative URL Formats
When specifying relative URLs in the href or src attributes, they must start with a forward slash (/). This requirement ensures proper XSS (Cross-Site Scripting) encoding and enhances the security of your application.
Summary of URL Filtering Logic
To enforce the rule for relative URLs:
Ensure the URL value starts with /.
Trim any leading and trailing whitespace from the URL value.
If the URL does not meet the criteria, replace it with an empty string to prevent XSS attacks.
Safe Attribute Function Implementation
The following function filters href and src attribute values to ensure they comply with allowed formats and prevent XSS attacks: "http://","https://","mailto:","tel:","data:image/","ftp://","./","../","#","/"
Important Notes
Starting Character: Ensure that all relative URLs start with a forward slash (/). This is essential for correct XSS encoding.
Trimming Whitespace: Trim leading and trailing whitespace from the URL value before validation.
Default Behavior: If a relative URL does not start with a forward slash, it is replaced with an empty string to prevent potential XSS attacks.
By adhering to these guidelines and implementing the provided function, you can mitigate the risk of XSS attacks through careful validation and filtering of relative URLs.
Note: If you do not configure the functioning of URLs using any of the above methods, VitaraCharts will block all the URLs.
Last updated