Prevent Cross-Site Scripting Attacks

ActiveReports allows pre-processing of all links from reports. To prevent possible attacks and if you do not trust report authors, we recommend that you add processing of hyperlinks as demonstrated in the code example below:

Startup.cs	Copy Code
app.UseReportViewer(settings => { settings.UseFileStore(ReportsDirectory); settings.ProcessHyperlink = link => { if (!Uri.TryCreate(link, UriKind.RelativeOrAbsolute, out Uri uri)) return string.Empty; if (uri.IsAbsoluteUri) { if (uri.Scheme.ToLowerInvariant() == "javascript") return string.Empty; return uri.AbsoluteUri; } return uri.ToString(); }; })

Startup.cs

Copy Code

app.UseReportViewer(settings =>
    {
        settings.UseFileStore(ReportsDirectory);
        settings.ProcessHyperlink = link =>
        {
            if (!Uri.TryCreate(link, UriKind.RelativeOrAbsolute, out Uri uri))
                return string.Empty;
            if (uri.IsAbsoluteUri)
            {
                if (uri.Scheme.ToLowerInvariant() == "javascript")
                    return string.Empty;
                return uri.AbsoluteUri;
            }
            return uri.ToString();
        };
    })