3 Replies Latest reply on Sep 24, 2012 8:06 AM by fschulte

    Problem with customizing Block Page

      Hello,

       

      our WebGateway is used from several customers. I want to show individual text in the blocking page for every customer. I have added a "User Defined Property" ´which is filled with individual text in the Rule Set. It works fine except when i try to add html tags within this Property. If i want to add a <br> to the property, the webgateway is showing it as &lt;br&gt;. Is it possilble to add html tags to the property so that they are shown correctly in the error page?

       

      Thank you for your help.

       

      Best Regards,

      Joerg

        • 1. Re: Problem with customizing Block Page

          the HTML entities are stored as encoded and that's the way they are represented in the string. You cannot decode them on the server side, you have to rely on client-side javacript to repace the '<' and '>'

           

          This is not pretty but it works:

           

          Let's say you have this message string:

          Set User-Defined.notificationMessage = "<b>Blocked Error Message</b><br/>Access Denied<br/>"

           

          On the block page, you can do a javascript replace of the '<' and '>'

           

          <script type='text/javascript'>

          writeToDocument(('$User-Defined.notificationMessage$').replace(/&gt;/g,'>').repl ace(/&lt;/g,'<'))

          </script>

          Capture.jpg

          The results look like this:

          Capture2.jpg

          • 2. Re: Problem with customizing Block Page

            Thank you very much. It Works :-)

            • 3. Re: Problem with customizing Block Page
              fschulte

              eelsasser wrote:

               


              Let's say you have this message string:

              Set User-Defined.notificationMessage = "<b>Blocked Error Message</b><br/>Access Denied<br/>"

              Be careful to only use static data for the strings "Blocked Error Message"  and "Access Denied". Because you just punched a hole in the protection against cross site scripting by circumventing output encoding.

               

              Consider the following dynamically generated error message, e.g. from a user supplied URL.

               

              <script>

                  document.write("&lt;script&gt;alert('bam!')&lt;/script&gt;".replace(/&lt;/g, "&lt;").replace(/&gt;/g, "&gt;"))

              </script>

               

              Message was edited by: fschulte on 9/24/12 8:06:18 AM CDT