Sanitizing of Email Templates

To prevent or limit the impact of cross-site scripting (XSS) attacks on FlexNet Operations, email templates in HTML format that could be used to perform XSS attacks are sanitized. Strings that could be exploited are removed from the email template.

The following examples show unsupported JavaScript content and the resulting sanitized HTML content.

Examples where JavaScript is removed from HTML template

JavaScript Content	Sanitized HTML Content
<a href="JAVASCRIPT:alert(1)">xss</a>	<html> <head></head> <body><a>xss</a></body> </html>
<html>hi everyone <SCRIPT>alert('hi')</SCRIPT> </html>	<html> <head></head> <body>hi everyone</body> </html>

For basic dynamic features, such as validating input, Revenera recommends that you use inline JavaScript, as shown in the following example.

Example: Dynamic updates based on user input

<!DOCTYPE html>

<html>

<body onload="

const firstName = '[[Firstname]]'.trim();

const dearSpan = document.getElementById('dearSpan');

if (!firstName) {

console.log('First name is empty.');

const errorMessage = document.createElement('span');

errorMessage.textContent = ' First name is missing!';

errorMessage.style.color = 'red';

dearSpan.insertAdjacentElement('afterend', errorMessage);

} else {

console.log('First name:', firstName);

const successMessage = document.createElement('span');

successMessage.textContent = ' First name is provided!';

successMessage.style.color = 'green';

dearSpan.insertAdjacentElement('afterend', successMessage);

}

">

<p>

<span id="dearSpan" style="font-size: small;">Dear </span>

<strong style="color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px;">

    [[Firstname]] [[Lastname]],

</strong>

</p>

</body>

</html>