Mitigating Script Injection Attacks in a Hyperlink in a Published Report or Document
Hossein.K
6,642
Reports can contain embedded hyperlinks in the value of the Action property on
a report item or part of a report item. Hyperlinks can be bound to data that is
retrieved from an external data source when the report is processed. If a
malicious user modifies the underlying data, the hyperlink might be at risk for
scripting exploits. If a user clicks the link in the published or exported report,
malicious script could run.
To mitigate the risk of including links in a report that inadvertently run malicious
scripts, only bind hyperlinks to data from trusted sources. Verify that data from
the query results and the expressions that bind data to hyperlinks do not create
links that can be exploited. For example, do not base a hyperlink on an
expression that concatenates data from multiple dataset fields. If necessary,
browse to the report and use "View Source" to check for suspicious scripts and
URLs.
Regards,
Hossein Karimi
a report item or part of a report item. Hyperlinks can be bound to data that is
retrieved from an external data source when the report is processed. If a
malicious user modifies the underlying data, the hyperlink might be at risk for
scripting exploits. If a user clicks the link in the published or exported report,
malicious script could run.
To mitigate the risk of including links in a report that inadvertently run malicious
scripts, only bind hyperlinks to data from trusted sources. Verify that data from
the query results and the expressions that bind data to hyperlinks do not create
links that can be exploited. For example, do not base a hyperlink on an
expression that concatenates data from multiple dataset fields. If necessary,
browse to the report and use "View Source" to check for suspicious scripts and
URLs.
Regards,
Hossein Karimi
*This post is locked for comments