Welcome to Knowage Q&A, where you can ask questions and receive answers from other members of the community.

Categories

Most popular tags

cockpit dataset error chart datasource installer datasets installation widget parameters business-model olap knowage knowage_7_1 integration login knowage_7_1-ce report-designer cross-navigation analyticaldriver

HTML Tags not working

0 votes
1 view
After updating Knowage from 7.4.21 to newer Versions the following Problem occurred:

When using HTML Widgets or Custom Chart Widgets in a Cockpit, it is no longer possible to save the document while having specific HTML Tags. It is still possible to view these documents but in edit mode it is not possible to save anymore. The following error occurs when trying to save: "Invalid HTML payload in sheet ...".

In newer Versions after 7.4.21 it seems that Knowage is blocking additional HTML Tags. In the Documentation it says that dangerous HTML Tags like <button> or <script> are removed. However, it seems that additional Tags like <canvas> or <fieldset> are now forbidden as well. We are no longer able to edit or create similar documents.

Is there any whitelist/blacklist for HTML Tags that can be edited?

Thank you
Environment Knowage Server 7.4.34
in Cockpit, Dashboard and Console by (130 points)

1 Answer

+1 vote
Dear peterodisys,

you are right, some more elements have been added to the dangerous list with the new engine after a few complaints.
I guess <canvas> and <fieldset> should not be considered dangerous...
I will take a look and let you know soon.

Thanks and regards.
by (11.3k points)

Hello, 

I confirm you that those elements were not considered harmful but were removed. 
I added them as you can see here https://github.com/KnowageLabs/Knowage-Server/commit/dc68877ffd14f0090fd401cad46f3e8a404b13a0.

It has been added also on 7.4 version, so will be available from next release 7.4.36.

Regards

by (11.3k points)
Dear redjaw,

thanks for your help!

After further analysing my code in Version 8.0.18 the following uses are removed/ forbidden:
- <legend> tags are forbidden
-  "src" attribute on <kn-import> is forbidden
- in "style" attribute: "cursor:pointer" and "flex: " are forbidden
- <label> tag is still forbidden even though it should be allowed? (https://github.com/KnowageLabs/Knowage-Server/blob/v8.0.18/knowage-spring-boot-api-common/src/main/java/it/eng/knowage/boot/filter/HtmlSanitizer.java)
- "name" attribute on <label> is forbidden (could not verify it because <label> is forbidden, but name is not listed in https://github.com/KnowageLabs/Knowage-Server/blob/master/knowage-spring-boot-api-common/src/main/java/it/eng/knowage/boot/filter/HtmlSanitizer.java)
- "href" attribute for <a> or <div> is forbidden even though it should be allowed? (href-link is in resources/whitelist)
- "target" and "rel" attributes (for <a> or <div> as examples) are forbidden

Would it be possible to add these as well?

Again, thank you for your help!

Best Regards
by (130 points)
Powered by Question2Answer
...