Best Practices: Security for Content Components

Overview

By now, you're likely familiar with a wide range of components offered in the Unqork Designer Platform. Some components have more cut and dry uses than others, which can become confusing. One example is the Content component, which offers such wide-ranging functionality that it can be difficult to know when and how to use it. In this article, you'll learn some security best practices when using Content components.

Avoid Using HTML in Content Components

When working with Content components, it's important to remember the main reason for using Unqork in the first place: Unqork is a no-code solution. Avoid using Content components to hold any type of code whenever possible. If you find yourself without any other options, remember the source of any data being pulled using that HTML. If you're rendering data into an HTML element, make sure you do it securely.

For example, the following excel export code is not safe and executes XSS (cross-site scripting): <span ng-bind-html="data.xssOutput | safehtml">

Avoid Storing Sensitive Values

• Never use the Content component to store API (Application Programming Interface) keys or access credentials.

• Do not use a Content component to collect private information or to store it for personal use.

• Never include third-party resources like JavaScript in a Content component. External parties can use JavaScript to access and manipulate data on the page.