https://community.fabric.microsoft.com/t5/Custom-Visuals-Development/Certification-How-to-Use-sanitization/m-p/4363802#M12025 <P>Hi,</P><P>&nbsp;</P><P>As part of the certification process there is a requirement to: "ensure DOM is manipulated safely. Use sanitization for user input or user data, before adding it to DOM."</P><P>&nbsp;</P><P>How have others achived this?</P><P>&nbsp;</P><P>I have implemented the code below to loop through all the data from the user and apply a sanitizeHTML function on it. I am not sure if this is enough.</P><LI-CODE lang="javascript"> options.dataViews[0].table.rows = options.dataViews[0].table.rows.map(innerArray =&gt; innerArray.map(element =&gt; {if (element) { return sanitizeHtml(String(element)); } else return null }));</LI-CODE><P>&nbsp;</P> Tue, 14 Jan 2025 19:17:09 GMT IraJWatt 2025-01-14T19:17:09Z https://community.fabric.microsoft.com/t5/Custom-Visuals-Development/Certification-How-to-Use-sanitization/m-p/4363802#M12025 <P>Hi,</P><P>&nbsp;</P><P>As part of the certification process there is a requirement to: "ensure DOM is manipulated safely. Use sanitization for user input or user data, before adding it to DOM."</P><P>&nbsp;</P><P>How have others achived this?</P><P>&nbsp;</P><P>I have implemented the code below to loop through all the data from the user and apply a sanitizeHTML function on it. I am not sure if this is enough.</P><LI-CODE lang="javascript"> options.dataViews[0].table.rows = options.dataViews[0].table.rows.map(innerArray =&gt; innerArray.map(element =&gt; {if (element) { return sanitizeHtml(String(element)); } else return null }));</LI-CODE><P>&nbsp;</P> Tue, 14 Jan 2025 19:17:09 GMT https://community.fabric.microsoft.com/t5/Custom-Visuals-Development/Certification-How-to-Use-sanitization/m-p/4363802#M12025 IraJWatt 2025-01-14T19:17:09Z https://community.fabric.microsoft.com/t5/Custom-Visuals-Development/Certification-How-to-Use-sanitization/m-p/4363874#M12026 <P>Hi&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/827792">@IraJWatt</a>,</P> <P>&nbsp;</P> <P>If you're using <A href="https://www.npmjs.com/package/sanitize-html" target="_self">sanitize-html</A>, this should be enough. However, you may need to consider the permitted tags your HTML may contain to avoid arbitrary execution of JavaScript and potential attempts to load data remotely via attributes like <FONT face="courier new,courier">src</FONT>. For the remote loading, setting your WebAccess privilege in your capabilities as directed should prevent this, but you can also manage this within sanitize-html.</P> <P>&nbsp;</P> <P>If it helps, the HTML Content visual is open source. There is a version called <A href="https://appsource.microsoft.com/en-au/product/power-bi-visuals/coacervolimited1596856650797.htmlcontent_certified" target="_self">HTML Content (lite)</A>, certified by MS, so it can be regarded as good enough for HTML sanitization in a certified environment. <A href="https://github.com/dm-p/powerbi-visuals-html-content/blob/97b47d2fddc5bee9d43d3648538e41c1e2a723c0/src/domain-utils.ts#L28-L54" target="_self">You can review its sanitize-html configuration here</A>.</P> <P>&nbsp;</P> <P>Good luck!</P> <P>&nbsp;</P> <P>Daniel</P> Tue, 14 Jan 2025 20:27:00 GMT https://community.fabric.microsoft.com/t5/Custom-Visuals-Development/Certification-How-to-Use-sanitization/m-p/4363874#M12026 dm-p 2025-01-14T20:27:00Z