Security framework upgrade
At Zoho Creator, one of our top priorities is to ensure that the data of our customers are safe and secure. We are committed to providing the highest level of security and have been upgrading our systems to ensure we are processing on the latest and most secure protocols. Currently we are upgrading our security framework that is being used to process the user's HTML content.
All HTML content present in the forms, reports, and pages across the application will be checked for the following characteristics:
- Invalid HTML tags - Only the standard W3C tags will be permitted. User errors in HTML tags will be handled as per browser behavior.
- Invalid styles - Only standard CSS properties will be permitted.
- Custom attributes - Only standard attributes for the particular HTML tags will be rendered. User defined attributes will not be rendered. Note: Since attributes can be misused it is recommended to use the class and id instead.
The Field display name and field description will be rendered after checking for the above four characteristics.
Form data in Reports:
In reports the HTML tags present in form data of various fields should be checked. There are two ways by which the new security framework will process different field types :
- All HTML tags will be displayed as plain text. The fields under this category are: Single line, Multi Line, Email, Drop down/ Radio, Checkbox/ Multiselect, Decision box, users and integration.
- The content will be displayed after applying the four common characteristics (Invalid HTML tags, Invalid styles, Script rejection and Custom attributes) mentioned at the top. The fields under this category are: URL, Image, Signature,Formula, File Upload, Audio and Video.
All content in the page will be rendered after applying the four common characteristics (Invalid HTML tags, Invalid styles, Script rejection and Custom attributes). And any discrepancies to page layout should be checked.
- OpenURL tasks with public embed components(creator.zohopublic.com) will not be permitted to access or do any action in the parent window.
- The security update will prevent iframe content from using browser plugins. Instead you can use embed tag(<embed>) to render the external PDF content in html.
Application Validation Process
- The Important Update popup displays the information about the security framework upgrade. Click on the Validate Applications button that is found in the popup to validate application. You can validate each of your applications individually by enabling the upgraded security framework in your account alone. After testing and checking for any discrepancies, the security upgrade can be rolled out to all users.
- The Application Validation page will be displayed. This page will contain the list of all your applications and the ones that may experience changes due to the upgraded security framework can be filtered.
- Click on the specific application which should be validated. The Application details pane will appear containing the list of form fields and pages that may experience changes.
The upgraded security framework can be enabled for your account alone for testing purposes. After testing, the new upgrade can be rolled out for all users of the application. Click on Start Testing to enable the upgrade for your account and developers of this application alone.
- The application will be opened in a new tab. Check for any changes in the data in reports corresponding to the form fields along with the HTML content in the pages mentioned under the Application Details tab.
- If the administrator doesn't find any discrepancies then they can roll out the upgrade for all their users by clicking on Enable for all users.
Note: This process cannot be undone and administrator should proceed with caution Click on the Enable button in the alert box to enable for all users. Now the security upgrade will be rolled out for all users of that application.
- If the administrator doesn't want to proceed then they can click on I'll test later button. This will disable the upgraded security framework for the admin and can be enabled again from the Account Setup.
Similarly all the applications should be validated by the administrator to ensure an flawless transition with the new security framework.
Later to validate your applications, click on Account setup icon found in the top right corner of your homepage.
Navigate to Updates tab found under the General section. In the list of updates, you can find the Validate your applications button adjacent to the Security framework upgrade.
For C4 Users : Click on the the Notifications icon from the top-right corner of your applications, as shown in screen-shot below. Then click the Validate Applications button to validate your applications.