Ask Reuben

Sanitize

My LABEL STYLE=”html” is not displaying what is sent to it ? 

How can I display a mailto link on the screen ?

LABEL, TEXTEDIT, and MESSAGE all have the ability to set a Presentation Style so that any html in the displayed value is interpreted and rendered as html.  This was intended so that you can do some simple decoration such as bold, italics etc by surrounding the text with the appropriate html tag.

A recent enhancement tightened up the security around these widgets and limited the tags, attributes, and CSS that were able to used.  Something that was prevented from being used was mailto and so code similar to the following …


DISPLAY SFMT("<a href=\"%1\">Click to send mail</click",mailto_url()) TO mailto
... 
FUNCTION mailto_url()
    RETURN SFMT("mailto:%1?subject=%4&cc=%2&bcc=%3&body=%5", mail.to, mail.cc, mail.bcc, util.Strings.urlEncode(mail.subject),util.Strings.urlEncode(mail.body))
END FUNCTION

… from the ex_mail example for our Github repository no longer worked.

There will be times when you the developer will know best and want to use tags, attributes, CSS that are not on our safe list, particularly when you know there is no possibility that a user can enter something that will cause the html to be something unsafe.

In that case, there is a new presentation style attribute sanitize that  you can set yes or no, that will allow you to tell the front-end whether to sanitize the html that is being sent to the LABEL, TEXTEDIT, MESSAGE or not.  You can read more on this in the presentation style attribute for LABEL, TEXTEDITMESSAGE respectively.

A way to determine if the sanitize mechanism is removing .html from the resultant html is to use the Browser Developer Tools to examine the .html that is being sent to the WebView.  Below there are two screenshots.  In one the hyperlink tag, the href attribute containing the mailto has been removed.   If the html you see here is not what you are sending, then chances are it has been sanitized.

So if you find some html is not being rendered as intended, check to see if it is making it to the front-end.  If we are sanitizing it, then create and use a presentation style that indicates that the sanitize step is not to occur, and ensure your code is responsible for making sure that what is rendered is safe  e.g.


<Style name="Label.mailto">
    <StyleAttribute name="textFormat" value="html" />
    <StyleAttribute name="sanitize" value="no" />
</Style>