To ensure your safety, our system automatically blocks certain HTML elements and attributes that can potentially introduce security risks. Here's what we look for:
Dangerous Elements and Keywords:
- Scripts and Embeds: <script>, <object>, <iframe>, <input>
- JavaScript Execution: javascript:, javascript&, javascript,, expression(
- Network Requests: xmlhttprequest, fetch(
- Event Handlers: oncontextmenu, onclick
- Cookies and Tokens: .cookie, 'cookie, "cookie, .access_token, 'access_token, "access_token, .refresh_token, 'refresh_token, "refresh_token
- Storage Access: localstorage., sessionstorage., document.cookie, localstorage[, sessionstorage[
Event Handler Attributes:
We also check for any HTML attributes that start with "on" (e.g., onclick, onload). These can be used to execute JavaScript when certain events occur, which might be harmful.
By blocking these elements and attributes, we help protect you from potential security threats like malicious scripts or unauthorized data access.
If you have any questions or need further clarification, feel free to ask!
Why Information is Blocked in Rich Text Boxes
In the Halo tool, certain HTML content is blocked in rich text boxes to protect users from potential security threats. This is done to prevent the execution of malicious scripts or unauthorized access to sensitive data.
Rules for Blocking:
- Scripts and Embeds: Elements like <script>, <object>, <iframe>, and <input> are blocked because they can execute or embed potentially harmful content.
- JavaScript Execution: Keywords such as javascript:, javascript&, javascript,, and expression( are blocked to prevent the execution of JavaScript code.
- Network Requests: Terms like xmlhttprequest and fetch( are blocked to stop unauthorized network requests.
- Event Handlers: Attributes like oncontextmenu and onclick are blocked as they can trigger JavaScript execution.
- Cookies and Tokens: Access to cookies and tokens (e.g., .cookie, 'cookie, "cookie, .access_token) is blocked to protect sensitive information.
- Storage Access: Access to local and session storage (e.g., localstorage., sessionstorage.) is blocked to prevent unauthorized data access.
Error Message:
When content is blocked, the following error message is displayed: Content has been blocked due to being potentially dangerous. Click here to download the content and view it outside the application.
This message indicates that the content contains elements or attributes that are considered unsafe and have been blocked to protect your security.
