Best Practices: Content Components

Overview

By now, you're likely familiar with a wide range of components offered in the Unqork Designer Platform. Some components have more cut and dry uses than others, which can become confusing. One example is the Content component, which offers such wide-ranging functionality that it can be difficult to know when and how to use it. In this article, you'll learn some security best practices when using Content components.

Avoid Using HTML in Content Components

When working with Content components, it's important to remember that Unqork is a no-code platform. While you can configure Content components, we do not support custom JavaScript code. This statement also includes new platform releases that might impact the functionality of your custom code. You are fully responsible for the ownership, maintenance, and support of your custom code.

Avoid using Content components to hold any code whenever possible. If you find yourself without other options, consider the source of any data retrieved using that HTML. If you're rendering data into an HTML element, ensure it’s done securely.

For example, the following excel export code is not safe and executes XSS (cross-site scripting): <span ng-bind-html="data.xssOutput | safehtml">

Avoid Storing Sensitive Values

• Never use the Content component to store API (Application Programming Interface) keys or access credentials.

• Do not use a Content component to collect private information or to store it for personal use.

• Never include third-party resources like JavaScript in a Content component. External parties can use JavaScript to access and manipulate data on the page.