Sanitize Data

Sanitizing data is a security feature aimed at preventing the execution of potentially malicious code, such as Cross Site Scripting (XSS) attacks. XSS attacks involve a third-party attempting to inject malicious scripts into a web app, in this case your form.

Sanitizing checks the value in a character string and removes or disguises anything that could potentially be interpreted and executed as code by your form, such as JavaScript contained within an HTML <script> element.

In order to prevent this type of attack Digitise Forms provides the following features:

Data read in from a database to be sent to your form is automatically sanitized by the form's Digitise Forms Server component before the data is passed to the web pages. This aims to stop potentially contaminated data from the database reaching your form and being executed by the form.

Most Datasets have a Sanitize data when storing property, which allows you to choose whether data being written from your form to that Dataset should be sanitized before being written to the database.

If the property is selected, data will be sanitized by the form's Digitise Forms Server component before the data is written to the database, using the Submit Button or Capita Pay360 Cart Elements, or by calling the submitForm, updateDatasource or updateRecord scripting functions within custom JavaScript.

If the property is not selected, data will be written to the database as it is input into the form, without being sanitized.

By default the option is selected.

This allows you to prevent malicious scripts entered into your form from being stored in the database, protecting other systems which could potentially use this data. However, if you want to allow non-sanitized data to be output, you can deselect this option for the relevant Dataset.

  • If you upgrade a project created using Digitise Forms v1.4 or earlier, the Sanitize data when storing property will be set to not selected for all Datasets, so that your forms continue to behave as they did before.

 

If you are generating PDF copies of submitted forms, if Sanitize data when storing is selected, the data contained within the form will be sanitized before the PDF is generated.

 

For Recordset Element Datasets whose data structure is defined as static columns, the value of this property is inherited from the form Dataset and this option cannot be edited within the Recordset's Dataset. The form Dataset is the Dataset created using New Datasource from Form to output map non-Recordset Elements which aren't output mapped to another database.

For Imported Stored Procedures, this property is not relevant if the Stored Procedure returns a Result Set and therefore is not shown in the Properties Pane for Datasets corresponding to a Stored Procedure Result Set.

When writing custom JavaScript within your form, you can access the AngularJS sanitize function to sanitize text strings within your Scripts. You can use this function to guard against a user attempting to enter malicious script when completing your form, but you should only need to do this where you want to use the sanitized value elsewhere in your form within a context which interprets HTML, e.g. if you were copying the value from one Text Box to another.

You can sanitize a character string by adding the following code at an appropriate point within your custom JavaScript:

<formName>.controller.$$ndl.sanitize("<string>")

 

For example:

<formName>.<pageName>.<elementName>.value = <formName>.controller.$$ndl.sanitize(<formName>.<pageName>.<elementName2>.value);