cancel
Showing results for 
Search instead for 
Did you mean: 
jsippel
Level 7

Problem with customizing Block Page

Jump to solution

Hello,

our WebGateway is used from several customers. I want to show individual text in the blocking page for every customer. I have added a "User Defined Property" ´which is filled with individual text in the Rule Set. It works fine except when i try to add html tags within this Property. If i want to add a <br> to the property, the webgateway is showing it as &lt;br&gt;. Is it possilble to add html tags to the property so that they are shown correctly in the error page?

Thank you for your help.

Best Regards,

Joerg

0 Kudos
1 Solution

Accepted Solutions
eelsasser
Level 15

Re: Problem with customizing Block Page

Jump to solution

the HTML entities are stored as encoded and that's the way they are represented in the string. You cannot decode them on the server side, you have to rely on client-side javacript to repace the '<' and '>'

This is not pretty but it works:

Let's say you have this message string:

Set User-Defined.notificationMessage = "<b>Blocked Error Message</b><br/>Access Denied<br/>"

On the block page, you can do a javascript replace of the '<' and '>'

<script type='text/javascript'>

writeToDocument(('$User-Defined.notificationMessage$').replace(/&gt;/g,'>').replace(/&lt;/g,'<'))

</script>

Capture.jpg

The results look like this:

Capture2.jpg

0 Kudos
3 Replies
eelsasser
Level 15

Re: Problem with customizing Block Page

Jump to solution

the HTML entities are stored as encoded and that's the way they are represented in the string. You cannot decode them on the server side, you have to rely on client-side javacript to repace the '<' and '>'

This is not pretty but it works:

Let's say you have this message string:

Set User-Defined.notificationMessage = "<b>Blocked Error Message</b><br/>Access Denied<br/>"

On the block page, you can do a javascript replace of the '<' and '>'

<script type='text/javascript'>

writeToDocument(('$User-Defined.notificationMessage$').replace(/&gt;/g,'>').replace(/&lt;/g,'<'))

</script>

Capture.jpg

The results look like this:

Capture2.jpg

0 Kudos
jsippel
Level 7

Re: Problem with customizing Block Page

Jump to solution

Thank you very much. It Works :-)

0 Kudos
fschulte
Level 10

Re: Problem with customizing Block Page

Jump to solution

eelsasser wrote:


Let's say you have this message string:

Set User-Defined.notificationMessage = "<b>Blocked Error Message</b><br/>Access Denied<br/>"

Be careful to only use static data for the strings "Blocked Error Message"  and "Access Denied". Because you just punched a hole in the protection against cross site scripting by circumventing output encoding.

Consider the following dynamically generated error message, e.g. from a user supplied URL.

<script>

    document.write("&lt;script&gt;alert('bam!')&lt;/script&gt;".replace(/&lt;/g, "&lt;").replace(/&gt;/g, "&gt;"))

</script>

Message was edited by: fschulte on 9/24/12 8:06:18 AM CDT
0 Kudos