Overview
Version
Report Server Version | Functional Change |
11.0.16 | / |
Application Scenarios
The server-end will accept your input and use it as part of the Web application.
If the content that you input contains malicious code, the server will accept and execute the malicious code, leading to information leakage, code execution problems and so on.
Functions
FineReport 11.0.16 and later versions added User Input Verification function.
User Input Verification is enabled by default, which verifies your input in specific scenarios on the decision-making platform, effectively filtering malicious code and ensuring system security.
If you input illegal content, clicking OK or Save will prevent the entered content from being saved, and a prompt will pop up as below.
Functions
Enabling/Disabling User Input Verification
The super admin can enable or disable User Input Verification by modifying the following configuration items in the table fine_conf_entity.
Note: The User Input Verification configuration item does not exist by default in the table fine_conf_entity. The field needs to be manually added and can take effect after restarting FineReport.
Configuration Item | Configuration Value | Description |
WebSecurityConfig.enableParameterVerify | true | Enable User Input Verification (default value). |
false | Disable User Input Verification. |
Verification Content
After you enable User Input Verification, it will verify the input content in specific input scenarios in FineReport. For details, see section "Verification Scenarios".
If the content that you input contains the following regular expressions, clicking OK or Save will prevent the input content from being saved, and a prompt will pop up: There are safe and illegal character in the input {character}.
Note: When there are multiple illegal characters in the input, only the first illegal character detected will be reported.
Verification Type | Regular Expression |
Illegal character | " |
< | |
> | |
& | |
Illegal keyword | /script |
javascript | |
onblur | |
getRuntime | |
ProcessBuilder | |
java.lang.ProcessImpl |
Verification Scenarios
Module | Validation Scenarios | Verification Content |
Directory | Add Template/edit Template | Name and Description |
Add Report Tab/edit Report Tab | Name and Description | |
Add Link/edit link | Name and Description | |
Add Directory/edit directory | Name and Description | |
Add Homepage/edit homepage | Name and Remark | |
User | Add User/edit user | Username Note: Import User and Synchronize Users do not support the function User Input Verification. |
Add department/edit department | Dept. name | |
Add Roles/edit roles | Role name and Remark | |
Appearance | Login Page | Login Title |
Platform Style | Platform Title | |
System | General > General Parameters | Servlet Path Name |
Mailbox > Sender Account | Show Name | |
Data connection | Data Connection Management > New Data Connection | Data Connection Name |
Data Connection Management > rename data connection | Data Connection Name | |
Server Dataset > Create Dataset | Dataset Name | |
Server Dataset > Rename Dataset | Dataset Name | |
Map configuration | Geographic Information > Add Directory | Name |
Geographic Information > rename map | Name | |
Custom Pictures > Add Custom Images | Name | |
Custom Pictures > rename images | Name |