Spotfire Admin — HTML Sanitation

• Are unsupported HTML tags confusing and maddening?
• Have you ever experienced problems getting JavaScript to work in Spotfire?
• Would you like to make text areas look more visually appealing and professional?

If you answered yes to any of the questions above, consider changing the Spotfire HTML Sanitation setting.

What is HTML Sanitation?

Since I’m not an HTML expert, I’ll turn to Wikipedia for the definition — HTML sanitization is the process of examining an HTML document and producing a new document that preserves only whatever tags are designated “safe” and desired.  Sanitization can protect against cross-site scripting (XSS) attacks by sanitizing any HTML code submitted by a user.

HTML Sanitation in Spotfire

Spotfire turns HTML sanitation on by default.  Turn sanitation off in the Administration Manager > Everyone Group > Preferences tab > Text area settings > Set to False (shown below).

Note: If you do not see the Preferences tab, it is because you do not have the right permissions to view/edit.  In this case, you’ll most likely need to contact an administrator.

Before changing this setting, consider two things.

1. What’s the risk of turning it off?
2. Are text areas more appealing with sanitation turned off versus on?

What’s the Risk?

This TIBCO Community article does a great job of explaining the history of sanitation in Spotfire, as well as why the default setting is what it is and what the risks of turning it off are.  In addition to the TIBCO community commentary, I would also consider the following:

• What general security is already in place in/for your Spotfire environment?
• Is scripting enabled in your Spotfire environment?
• How many Spotfire users know how to add HTML and JavaScript to the text areas?

Answering these questions will help you decide whether or not to turn sanitation off or not.

What’s the Difference?

When sanitation is turned on, many tags are invalidated or not supported.  The list below contains a sampling of the tags invalidated with sanitation turned on.

• html
• title
• body
• style
• mark
• sub
• sup
• small
• center
• …..I’m sure there are lots more.

In case you haven’t seen an unsupported tag error, here is what it looks like when you edit HTML.

In terms of making analysis look more professional, here is an example of code that uses the <style> tag.  The screenshots below demonstrate what the text area looks like with sanitation on versus off.  As you can see, when the <style> tag is invalidated (sanitation on), the text area is much less attractive.

Code

Text Area Invalidating <style>

Text Area Using <style>

As you can see, being able to use the <style> tag makes this text area much more attractive, and from a coding perspective, being able to use the <style> tag in and of itself is also helpful and more efficient than what you would have to write without it.  In conclusion, if the risk is acceptable, turn off sanitation.  The result will help beautify text areas and make working with HTML easier!

Julie Sebby

Guest Spotfire blogger residing in Whitefish, MT.  Working for SM Energy’s Advanced Analytics and Emerging Technology team!