Application Validation

    Security framework upgrade

    One of our top priorities at Zoho Creator is to ensure that our customers' is safe and secure. We are committed to providing the highest level of security and have been upgrading our systems to ensure we are processing using the latest and most secure protocols. In this regard, we've upgraded our security framework that's used to process the HTML and CSS content in your apps.

    All HTML content present in the forms, reports, and pages across your apps will be checked for the following:

    1. Invalid HTML tags - Only the standard W3C tags will be permitted. User errors in HTML tags will be handled as per browser behavior.
    2. Invalid styles - Only standard CSS properties will be permitted.
    3. Script rejection -  Javascript content/coded or Javascript related parameters in HTML attribute or values will be removed.
    4. Custom attributes - Only standard attributes for the particular HTML tags will be rendered. User defined attributes will not be rendered. Since attributes can be misused it is recommended to use the class and id instead.

    Forms

    The display name and description of fields is rendered after checking for the above four characteristics.

    Reports

    In reports the HTML tags present in the form's data will be checked. The output:

    • HTML tags will be displayed as plain text in the following fields: Single line, Multi Line, Email, Drop down/ Radio, Checkbox/ Multi select, Decision box, users, and integration.
    • The four characteristics mentioned above (HTML tags, styles, scripts, and custom attributes) will be checked for, and only allowed ones will be rendered. This'll happen in the following fields: URL, Image, Signature,Formula, File Upload, Audio and Video.

    Pages

    All content in the page will be rendered after applying the four common characteristics (Invalid HTML tags, Invalid styles, Script rejection and Custom attributes).

    Limitations

    • OpenURL tasks with public embed components (creator.zohopublic.com) will not be permitted to access or do any action in the parent window.
    • This security update will prevent iframe content from using browser plugins. Instead you need to use the embed tag (<embed>) to render the external PDF content in HTML.

    Share this post : FacebookTwitter

    Still can't find what you're looking for?

    Write to us: support@zohocreator.com