How to Avoid “Unsafe” Prefix on Links

io_image-v2

If you’ve ever tried creating a dynamic link with a non-standard protocol or prefix (e.g. file, sms, tel, ftp, local) in Service Portal, you may have noticed that it prepends the url with “unsafe” rendering it unusable.

The sanitization is a security measure aimed at preventing XSS attacks via html links and is coming from Angular.js which maintains a whitelist of safe urls.

To fix this you will need to override the default whitelist by passing in a regular expression to the application configuration. You can do this by creating a “js_include” in your portal theme and include the following script:

Where you see https?|ftp|mailto, etc… that is the regular expression you will want to update to include your url prefixes.

2 comments

  1. Hi Nathan,

    I’m not exactly sure what I should be doing to include this js_include in one of my themes.

    I’ve created a UI Script, titled it compileProvider and included it within the js_includes. In addition, I’ve also included |sip|im within the regex, to no avail.

    Can you provide a few more steps elaborating on this point: You can do this by creating a “js_include” in your portal theme and include the following script.

    Thanks,

    Edward

    1. Can you check in Chrome developer tools if that JavaScript is being included in your portal? It should be as simple as going to your portals theme record, and if the script is included in the js_includes related list, it should be getting loaded. Also maybe validate that your regex is valid.

Leave a Reply

Your email address will not be published. Required fields are marked *