Out-of-the box, without extra configurations, Power Pages does not prevent saving data with scripts on text fields.
Of course, we need to do as a good practice to always escape any text read from Dataverse, but there is a friend that can help with this in Power Pages: Web Application Firewall
By simply enabling Power Apps Web Application Firewall, we have a set of default rules that automatically prevent script injection.
Testing comparison
Consider two websites, with the Web API wrapper added to the page, and also table permissions/Web API enabled for create on a table called “correspondences”.
And if we run the following script to test:
var payloads = [
"<script>alert('basic')</script>",
"<scr<script>ipt>alert('obf')</scr</script>ipt>",
"<script>alert('encoded')</script>",
"<a href='javascript:alert(\"jsurl\")'>JS Link</a>",
"<math><mtext><script>alert('math')</script></mtext></math>",
"<<script>alert('broken')<</script>"
];
payloads.forEach(function(payload) {
var record = {
pnp_message: payload,
pnp_name: "xss test"
};
webapi.safeAjax({
type: "POST",
contentType: "application/json",
url: "/_api/pnp_correspondences",
data: JSON.stringify(record),
success: function (data, textStatus, xhr) {
var newId = xhr.getResponseHeader("entityid");
console.log("Message stored: ");
console.log("Entity ID:", newId);
},
error: function (xhr, textStatus, errorThrown) {
console.log("Payload blocked: ", payload);
console.log(xhr);
}
});
});For the website without WAF, entries will be created normally:
For the website with WAF enabled, the requests will fail:
When inspecting WAF logs (check Power Pages management studio), we can see the rules were triggered:
Conclusion
Even though natively Power Pages accepts any type of HTML / Script content on the Web API, we can get the help of Power Pages WAF to limit that. It’s highly recommended to enable it as an extra layer of protection on Production websites.
References
html_safe_escape – Liquid filter – Microsoft Learn
