When developing dynamic web pages in LabKey Server, you should be careful not to introduce unintentional security problems that might allow malicious users to gain unauthorized access to data or functionality.

This topic contains some examples and best practice advice.

Common Security Risks

The following booklet provides a quick overview of the ten most critical web application security risks that developers commonly introduce:


HTML Encoding

For those writing JavaScript in LabKey wiki pages and views, the most common risk is script injection. This occurs when your code accepts text input from a user and immediately displays it without HTML encoding it. Or when your code saves user input to the database and later displays that input in a web page without HTML-encoding it. In general, you should HTML-encode every value entered by a user before displaying it in a page, as this prohibits a malicious user from entering JavaScript that could be executed when dynamically added to the page as HTML. HTML encoding will convert all characters that would normally be interpreted as HTML markup into encoded versions so that they will be interpreted and displayed as plain text and not HTML.

To HTML-encode text, use the following function from LABKEY.Utils, which is always available to you in a LabKey wiki page or view. For example:

<div id="myDiv"/>

var myValue = ...value from input control...
var myValueEncoded = LABKEY.Utils.encodeHtml(myValue);

// Display encoded value:
document.getElementById("myDiv").innerHTML = myValueEncoded;

For more information on web development and security risks, see the following site:


Related Topics

Was this content helpful?

Log in or register an account to provide feedback

expand allcollapse all