Create HTML Formulas in Search permission overview

Create HTML Formulas in Search permission overview

By default, NetSuite saved searches output text only for viewing. Some customers need to include HTML formatting and controls in the saved search output.

Including HTML in the output provides the ability to: reference other data on the internet, reformat the data, and include active content such as performing calculations with JavaScript. These capabilities also bring risk, namely:

  • References to other websites can be a risk to the page visitor
  • Formatting by adding HTML constructs can violate the integrity of the page design, causing user interface features to no longer work correctly
  • Injection of content by future visitors can impact your NetSuite account and can impact visitors to the page where the saved search is displayed

For security reasons, NetSuite has constrained this type of dynamic output to fields of type Formula(HTML).

  • Legitimate users can browse to the page, which loads the malicious content, or victims can be prompted to click a link that takes the user to your page with the malicious request data.
  • The HTML construct causes the visitor’s web browser to execute the malicious content in the request data. The malicious JavaScript then modifies the account data, or compromises the visitor’s web browser.

How can an author of Formula(HTML) fields prevent risks, now and in future?

HTML/JavaScript developers may wish to educate themselves on the risks and prevention techniques. Educational material can be found in numerous places, including the Organization of Web Application Security Professionals (OWASP).

For example:

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

How can a NetSuite account owner minimize the risk of injection flaws?

Users granted the Create HTML Formulas in Search permission should consider education on the subject of HTML injection flaws and the techniques for their prevention.

By enabling this feature, the account owner understands and acknowledges the risk associated with HTML Formulas in Search. Only suitably educated developers should be granted the Create HTML Formulas in Search permission.

Leave a comment

Your email address will not be published. Required fields are marked *