User Input Verification- FineBI Document

Last update： 2023-06-02

Overview

Version

FineBI Version	Functional Change
6.0.10	/

Application Scenarios

The server-side will accept your entering contents and use them as part of the Web application.

If the content that you enter contains malicious code, the server will accept and execute the malicious code, leading to problems such as information leakage and code execution .

Functions

For FineBI 6.0.10 and newer versions, a new function User Input Verification has been added.

The function User Input Verification is enabled by default, which verifies your input content in specific scenarios within FineBI, effectively filtering malicious code and ensuring system security.

If you input illegal content, clicking OK or Save will prevent the entered content from being saved and a prompt will pop up

Function Introduction

Enabling/Disabling Verification

Super admins can enable/disable User Input Verification by modifying the following configuration items in the table fine_conf_entity.

Note: The User Input Verification configuration item does not exist by default in the table fine_conf_entity. The field needs to be manually added and can take effect after restarting FineBI.

Configuration Item	Configuration Value	Definition
WebSecurityConfig.enableParameterVerify	true	Enable User Input Verification (default value).
WebSecurityConfig.enableParameterVerify	false	Disable User Input Verification.

Verification Content

After the User Input Verification function is enabled, it will verify the input content in specific input scenarios in FineBI. For details, see the section "Verification Scenarios".

If the content that you input contains the following regular expressions, clicking OK or Save will prevent the entered content from being saved and a prompt will pop up There are safe and illegal character in the input {character}.

Note: When there are multiple illegal characters in the input, only the first illegal character detected will be reported.

Verification Type	Regular Expression
Illegal character	"
	<
	>
	&
Illegal keyword	/script
	javascript:
	onblur
	getRuntime
	ProcessBuilder
	java.lang.ProcessImpl

Verification Scenarios

Module	Verification Scenarios	Verification Content
Directory	Add Template/edit Template.	Template name and description
	Add Report Tag/edit Report Tag.	Tag name and description
	Add Link/edit link.	Link name and description
	Add Directory/edit directory.	Directory name and description
	Add homepage/edit homepage.	Homepage name and notes
User	Add User/edit user.	Username Note: Import User and Synchronize Users do not support the function User Input Verification.
	Add Department/edit department.	Department name
	Add Roles/edit role.	Role name and notes.
Appearance	Login Page	Login Title
Appearance	Platform Style	Platform Title
System	General Parameters in General	Servlet Path Name
System	Sender Account in Mailbox	Name displayed in mailbox
Data Connection	New Data Connection in Data Connection Management	Data Connection Name
	Rename Data Connection Name in Data Connection Management.	Data Connection Name
	Create Dataset in Server Dataset	Dataset name
	Rename dataset name in Server Dataset.	Dataset name
Map Configuration	Add Directory in Geographic Information	Map name
	Rename map name in Geographic Information.	Map name
	Add Custom Images in Custom Pictures	Image name
	Rename image name in Custom Pictures.	Image name

Helpful
Not helpful
Only read

中文（简体）中文（繁體）日本語

English

feedback

鼠标选中内容，快速反馈问题

鼠标选中存在疑惑的内容，即可快速反馈问题，我们将会跟进处理。

不再提示

10s后关闭

User Input Verification