Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

We've captured the moments from FabCon & SQLCon that everyone is talking about, and we are bringing them to the community, live and on-demand. Starts on April 14th. Register now

Reply
IraJWatt
Regular Visitor

Certification How to Use sanitization?

‎01-14-2025 11:17 AM

Hi,

 

As part of the certification process there is a requirement to: "ensure DOM is manipulated safely. Use sanitization for user input or user data, before adding it to DOM."

 

How have others achived this?

 

I have implemented the code below to loop through all the data from the user and apply a sanitizeHTML function on it. I am not sure if this is enough.

  options.dataViews[0].table.rows = options.dataViews[0].table.rows.map(innerArray =>
            innerArray.map(element => {if (element) { return sanitizeHtml(String(element)); } else return null }));

 

Message 1 of 2
809 Views
0
1 ACCEPTED SOLUTION
dm-p
Super User
Super User

‎01-14-2025 12:27 PM

Hi @IraJWatt,

 

If you're using sanitize-html, this should be enough. However, you may need to consider the permitted tags your HTML may contain to avoid arbitrary execution of JavaScript and potential attempts to load data remotely via attributes like src. For the remote loading, setting your WebAccess privilege in your capabilities as directed should prevent this, but you can also manage this within sanitize-html.

 

If it helps, the HTML Content visual is open source. There is a version called HTML Content (lite), certified by MS, so it can be regarded as good enough for HTML sanitization in a certified environment. You can review its sanitize-html configuration here.

 

Good luck!

 

Daniel





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!


On how to ask a technical question, if you really want an answer (courtesy of SQLBI)




View solution in original post

Message 2 of 2
784 Views
1 REPLY 1
dm-p
Super User
Super User

‎01-14-2025 12:27 PM

Hi @IraJWatt,

 

If you're using sanitize-html, this should be enough. However, you may need to consider the permitted tags your HTML may contain to avoid arbitrary execution of JavaScript and potential attempts to load data remotely via attributes like src. For the remote loading, setting your WebAccess privilege in your capabilities as directed should prevent this, but you can also manage this within sanitize-html.

 

If it helps, the HTML Content visual is open source. There is a version called HTML Content (lite), certified by MS, so it can be regarded as good enough for HTML sanitization in a certified environment. You can review its sanitize-html configuration here.

 

Good luck!

 

Daniel





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!


On how to ask a technical question, if you really want an answer (courtesy of SQLBI)




Message 2 of 2
785 Views

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

March Power BI Update Carousel

Power BI Community Update - March 2026

Check out the March 2026 Power BI update to learn about new features.

View All
Top Solution Authors
View All