Skip to main content

Notifications

Dynamics 365 Community / Blogs / DaxGeek / Mitigating Script Injection...

Mitigating Script Injection Attacks in a Hyperlink in a Published Report or Document

Reports can contain embedded hyperlinks in the value of the Action property on
a report item or part of a report item. Hyperlinks can be bound to data that is
retrieved from an external data source when the report is processed. If a
malicious user modifies the underlying data, the hyperlink might be at risk for
scripting exploits. If a user clicks the link in the published or exported report,
malicious script could run.


To mitigate the risk of including links in a report that inadvertently run malicious
scripts, only bind hyperlinks to data from trusted sources. Verify that data from
the query results and the expressions that bind data to hyperlinks do not create
links that can be exploited. For example, do not base a hyperlink on an
expression that concatenates data from multiple dataset fields. If necessary,
browse to the report and use "View Source" to check for suspicious scripts and
URLs.


Regards,
Hossein Karimi

Comments

*This post is locked for comments