...
Option 1: The Anti-XSS mode in Global configuration reduces exposure to XSS exploits related to SQL Query macro. Toggle the Global configuration > Disable anti-XSS mode to OFF to protect from XSS vulnerabilities. For more information, refer to App configuration.
...
Option 2: Macro security allows admins to restrict the usage of SQL Query macro at the parameter level for trusted users and groups in trusted spaces. The SQL statement in the SQL Query macro may contain malicious code. To defend against XSS attacks, admins can control access to the SQL Query macro editor parameter, Stop encoding of HTML characters. The parameter usage restriction is specified by configuring Macro security.
...
In the SQL Query macro editor, the parameter Stop encoding of HTML characters is disabled. The security configuration defends the XSS attack if the SQL statement input box contains malicious code.
Scenario 4. Global Configuration > Disable anti-XSS mode is toggled ON, and Macro security restrictionis not configured for the parameter Stop encoding of HTML characters.
...
Suppose the user toggles the parameter Stop encoding of HTML characters to OFF. In that case, it defends the possibility of an XSS attack.
Suppose the user toggles the parameter Stop encoding of HTML characters to ON. In that case, an XSS attack is possible when the SQL statement input box contains malicious code.
| Note |
|---|
The user needs to be careful and make a conscious decision when the parameter Stop encoding of HTML characters is toggled ON. |