1
K

Field Level Sanitization and Escaping Functions

Kaustubh Giri on 9/21/2020 8:14:42 PM
Currently D365 CRM allows us to enter any characters in single and multi line text fields. We can for instance enter a script in such field. It has not executed the script; however, the output to the user is in a script form. Which can then be sent to a secondary application and can potentially cause XXS Vulnerability.

Ability for Sanitization and Escaping Functions could help eliminating acceptance of scripts in fields.
Example of text entered in a single line text field "Name" on Account Entity:
Category: Unified Experience: Search, navigation and performance
STATUS DETAILS
Needs Votes

Comments

K

K

RE: Field Level Sanitization and Escaping Functions

Kaustubh Giri on 9/21/2020 8:21:51 PM

Could not post the entire comment the first time so continuing here:
Example of text entered in a single line text field "Name" on Account Entity: alert
This will be stored successfully. When a user requests data of this record they are able to see the field with data as is and no sanitization/ cleanup. stays as is.

ASK:
1. Can OOB functionality be introduced to Sanitize and Escape such tags while saving or rendering data output?
2. If OOB functionality can be introduced can we allow field level option to enable/ disable Sanitization and Escaping Functions to eliminate the ability to store data as scripts? This way Customers can choose which fields allow scripts and which don't. This way not all customers will be impacted by the change.

Category: Unified Experience: Search, navigation and performance