Skip to main content

Notifications

Dynamics 365 Community / Blogs / DaxGeek / Mitigating HTML Injection A...

Mitigating HTML Injection Attacks in a Published Report or Document

In Reporting Services, reports and resources are processed under the security
identity of the user who is running the report. If the report contains expressions,
script, custom report items, or custom assemblies, the code runs under the user's
credentials. If a resource is an HTML document that contains script, the script
will run when the user opens the document on the report server. The ability to run
script or code within a report is a powerful feature that comes with a certain level
of risk. If the code is malicious, the report server and the user who is running the
report are vulnerable to attack.


When granting access to reports and to resources that are processed as HTML, it
is important to remember that reports are processed in full trust and that
potentially malicious script might be sent to the client. Depending on browser
settings, the client will execute the HTML at the level of trust that is specified in
the browser.


You can mitigate the risk of running malicious script by taking the following
precautions:


Be selective when deciding who can publish content to a report
server. Because the potential for publishing malicious content exists,
you should limit users who can publish content to a small number of
trusted users.


All publishers should avoid publishing reports and resources that
come from unknown or untrusted sources. If necessary, open the file
in a text editor and look for suspicious script and URLs.


Regards,
Hossein Karimi

Comments

*This post is locked for comments