JavaScript, Spotfire

Spotfire Admin — HTML Sanitation

  • Are unsupported HTML tags confusing and maddening?
  • Have you ever experienced problems getting JavaScript to work in Spotfire?
  • Would you like to make text areas look more visually appealing and professional?

If you answered yes to any of the questions above, consider changing the Spotfire HTML Sanitation setting.

What is HTML Sanitation?

Since I’m not an HTML expert, I’ll turn to Wikipedia for the definition — HTML sanitization is the process of examining an HTML document and producing a new document that preserves only whatever tags are designated “safe” and desired.  Sanitization can protect against cross-site scripting (XSS) attacks by sanitizing any HTML code submitted by a user.

HTML Sanitation in Spotfire

Spotfire turns HTML sanitation on by default.  Turn sanitation off in the Administration Manager > Everyone Group > Preferences tab > Text area settings > Set to False (shown below).

Administration Manager

Note: If you do not see the Preferences tab, it is because you do not have the right permissions to view/edit.  In this case, you’ll most likely need to contact an administrator.

Before changing this setting, consider two things.

  1. What’s the risk of turning it off?
  2. Are text areas more appealing with sanitation turned off versus on?

What’s the Risk?

This TIBCO Community article does a great job of explaining the history of sanitation in Spotfire, as well as why the default setting is what it is and what the risks of turning it off are.  In addition to the TIBCO community commentary, I would also consider the following:

  • What general security is already in place in/for your Spotfire environment?
  • Is scripting enabled in your Spotfire environment?
  • How many Spotfire users know how to add HTML and JavaScript to the text areas?

Answering these questions will help you decide whether or not to turn sanitation off or not.

What’s the Difference?

When sanitation is turned on, many tags are invalidated or not supported.  The list below contains a sampling of the tags invalidated with sanitation turned on.

  • html
  • title
  • body
  • style
  • mark
  • sub
  • sup
  • small
  • center
  • …..I’m sure there are lots more.

In case you haven’t seen an unsupported tag error, here is what it looks like when you edit HTML.

Unsupported tag

In terms of making analysis look more professional, here is an example of code that uses the <style> tag.  The screenshots below demonstrate what the text area looks like with sanitation on versus off.  As you can see, when the <style> tag is invalidated (sanitation on), the text area is much less attractive.

Code

HTML Code

Text Area Invalidating <style>

Without Style Tag

Text Area Using <style>

With Style Tag

 

As you can see, being able to use the <style> tag makes this text area much more attractive, and from a coding perspective, being able to use the <style> tag in and of itself is also helpful and more efficient than what you would have to write without it.  In conclusion, if the risk is acceptable, turn off sanitation.  The result will help beautify text areas and make working with HTML easier!

 

, ,
July 19, 2017by Julie Schellberg of Big Mountain Analytics, LLC
FacebookTwitterPinterestGoogle +Stumbleupon
Written by Julie Schellberg of Big Mountain Analytics, LLC
Residing in Whitefish, MT, an analytics partner with Ruths.ai. Specializing in Spotfire analytics, dabbling in Power BI and R.