Allowing pages to run without encoding

Starting WebCenter 1.1.44 the WebCenter uses encoding to prevent malisious code to be executed. But sometimes you want to run a page without it being encoded to allow the execution of injected HTML like for example custom reports.

To do this you have to add that page to the HtmlEncodingExclusions setting in web.config. By default the custom reports page is added to this setting. It is written as „CustomReport“ in web.config. That name is not something you can guess by the title of something else. It should identify the page by the query string parameter form the URL of the page you want to exclude from encoding.

The URL of the custom reports page is:

http://localhost/VccWebCenter/?instanceID=00000000-0000-0000-0000-000000000000&uc=CustomReports

The interesting part of the above URL is uc=CustomReports, and the part after the equal sign (=) is the name of the page we need. The rest of the URL is not relevant. Some pages have more query string parameters and this uc parameter may not appear at the end of the URL.

Page names ar not unique for the Web center, but rather on a module level. So, to avoid exluding multiple pages with the same name you can append the module name to the page name in format  MODULE\PageName (STAT10\CustomReports, CC90\Users or ERM90\MessageBoxes).

Leave a Reply