FineBI Version
Functional Change
6.0.10
/
The server-side will accept your entering contents and use them as part of the Web application.
If the content that you enter contains malicious code, the server will accept and execute the malicious code, leading to problems such as information leakage and code execution .
For FineBI 6.0.10 and newer versions, a new function User Input Verification has been added.
The function User Input Verification is enabled by default, which verifies your input content in specific scenarios within FineBI, effectively filtering malicious code and ensuring system security.
If you input illegal content, clicking OK or Save will prevent the entered content from being saved and a prompt will pop up
Super admins can enable/disable User Input Verification by modifying the following configuration items in the table fine_conf_entity.
Note: The User Input Verification configuration item does not exist by default in the table fine_conf_entity. The field needs to be manually added and can take effect after restarting FineBI.
Configuration Item
Configuration Value
Definition
WebSecurityConfig.enableParameterVerify
true
Enable User Input Verification (default value).
false
Disable User Input Verification.
After the User Input Verification function is enabled, it will verify the input content in specific input scenarios in FineBI. For details, see the section "Verification Scenarios".
If the content that you input contains the following regular expressions, clicking OK or Save will prevent the entered content from being saved and a prompt will pop up There are safe and illegal character in the input {character}.
Note: When there are multiple illegal characters in the input, only the first illegal character detected will be reported.
Verification Type
Regular Expression
Illegal character
"
<
>
&
Illegal keyword
/script
javascript:
onblur
getRuntime
ProcessBuilder
java.lang.ProcessImpl
Module
Verification Scenarios
Verification Content
Directory
Add Template/edit Template.
Template name and description
Add Report Tag/edit Report Tag.
Tag name and description
Add Link/edit link.
Link name and description
Add Directory/edit directory.
Directory name and description
Add homepage/edit homepage.
Homepage name and notes
User
Add User/edit user.
Username
Note: Import User and Synchronize Users do not support the function User Input Verification.
Add Department/edit department.
Department name
Add Roles/edit role.
Role name and notes.
Appearance
Login Page
Login Title
Platform Style
Platform Title
System
General Parameters in General
Servlet Path Name
Sender Account in Mailbox
Name displayed in mailbox
Data Connection
New Data Connection in Data Connection Management
Data Connection Name
Rename Data Connection Name in Data Connection Management.
Create Dataset in Server Dataset
Dataset name
Rename dataset name in Server Dataset.
Map Configuration
Add Directory in Geographic Information
Map name
Rename map name in Geographic Information.
Add Custom Images in Custom Pictures
Image name
Rename image name in Custom Pictures.
滑鼠選中內容,快速回饋問題
滑鼠選中存在疑惑的內容,即可快速回饋問題,我們將會跟進處理。
不再提示
10s後關閉
Submitted successfully
Network busy