Application management : Configuration : System Settings : Reporting : HTML in expressions
HTML in expressions
To prevent executing potentially harmful scripts via expressions, these expressions can be sanitized (which decodes HTML code rendering it harmless).
Allowed elements
Inside expressions, only the following HTML elements are allowed: a, p, div, i, b, em, blockquote, tt, strong, br, ul, ol, li, img.
Allowed attributes
For some HTML, only specific attributes are allowed:
HTML element
Attributes / pattern
Info
title
Globally
a
href
target=_blank
Always the following rel attribute is added:
rel="nofollow"
When input contains target=_blank then the following rel attribute is added:
rel="nofollow noopener noreferrer"
lang
[a-zA-Z]{2,20}
Allow lang= with an alphabetic value on any element.
p
align
center, left, right, justify, char
img
src
alt
Expression can contain constant data and field data, the field data is encoded and the complete result of an expression is sanitized.
When a element is used that is not allowed, an error is given.
Example
Let’s look at the effects based on orders.
In this example we are creating a mail merge report with a Description field that we would like to see in italic and bold in the resulting mail merge.
For this, the following expression is created:
"<i><b>" + BaseOrder.Description + "</b></i>"
Result:
Description appears bold and italicDescription appears bold and italic
In this example, the expression contains HTML elements that are allowed, meaning that the report does not need to be changed.
If your expression contains HTML elements that are not supported, for example the tr element (table row), the report will give the following error:
An invalid element is used in this HTML mail-merge report: 'My orders report'. The report contains the following invalid expression elements: 'tbody,table,tr' (PN_H01462)
In order to fix this issue, you must change the expression to use the allowed HTML element or you should remove the HTML element from the expression completely.
Changed behavior
When using < in a constant value, it is interpreted as an illegal character.
The constant value “Test <text“ when sanitized gives a violation error. To get the correct result, the value should be changed in “Test &lt;text“
Sanitizer is also encoding to produce a string containing only valid Unicode scaler values.
Before encoding to “&lt;&#2f;b&gt;” bold </b> is encoded with sanitizer to “&lt;/b&gt;“
"test&nbsp;non breaking space"
"test\u00A0non breaking space"