Hoppa till huvudinnehållet

How to open downloaded HTML file in a new browser tab

Berend Veldkamp

I have a server workflow that uses the Create Download activity to create a download for an HTML formatted file. The content is proper HTML, Content Type is set to text/html, and Open in Browser is set to true.

However, when downloading the file, it does not open in a browser window, but is saved in the Downloads directory. This is apparently caused by the Content-Disposition: attachment header in the download.

I noticed in the documentation that HTML is not considered safe to open. Is there a way around this?

My ultimate goal is to show a preview of an HTML email message, but it seems that HTML is not supported in a display form to begin with.

 

1

Kommentarer

2 kommentarer

Datum Röster
  • Officiell kommentar
    Ryan Cooney

    The Create Download activity will not serve HTML content without the Content-Disposition: attachment header. This is a security feature that is by design. Basically we cannot provide an out-of-the-box way to serve HTML pages that could have been built from untrusted user inputs. That would represent a serious security vulnerability. 

    For example, let's say your workflow prompts the user for their name and you plan to inject it into the HTML content something like this:

    ="<div>Hello " + $form1.state.textBox1.value + "</div>..."

    If the user enters their name as “<script>alert('hacked')</script>Bobby Tables” they can run arbitrary code from your HTML page.

    There is nothing to stop you from using the Write File activities to write your HTML to your own virtual directory and serve it from there, but at that point you are taking steps to set up and serve that content yourself, so ensuring that the HTML you serve is properly sanitized is now your responsibility.

    HTML is not supported in the Display Form activity for basically the same reasons. Simply running some HTML crafted by a workflow would be dangerous unless the source of that HTML is trusted. Instead, workflow forms support Markdown because it is safe while allowing a reasonable level of formatting control.

  • Nico Burgerhart

    I think HTML is not supported in a display form, because it is also not supported in Markdown (release notes VSW 5.17)

    Addressed a security hole in markdown rendering where the markdown renderer would also incorrectly try to render html content.

    0

Du måste logga in om du vill lämna en kommentar.

Hittade du inte vad du sökte?

Nytt inlägg