I have the following simple dashboard in Simple XML format to test displaying of autogenerated html code. The html code is stored in a token.
<dashboard> <label>HTML Test</label> <init> <set token="testHtml"><![CDATA[<b>Hi there!</b>]]></set> </init> <row> <panel> <html> $testHtml|n$ </html> </panel> </row> </dashboard>
However, I am unable to display it as a proper HTML formatted output. It always gets escaped and I see raw HTML code instead of formatted text, meaning I get
According to the documentation for Tokens, syntax
$token|n$ should return unescaped content, which I would assume, in my case, would be a raw HTML, which gets rendered by the browser.
Does anybody have experience with this?
@petom using token to create HTML content in your dashboard could be dangerous (depending on how token is being set in the first place). Which is the reason why it is treated as string and html tag. You can use
Simple XML JS extension to add HTML content using token through jquery. Refer to one of my older answers:
Also, as an alternate to avoid JS, instead of passing rich html content can you not just send the token text and have html panel with html formatting/tags that you need?
Refer to the following run anywhere code:
<dashboard> <label>Unescaped HTML code</label> <init> <set token="testHtml">Hi there</set> </init> <row> <panel> <html depends="$testHtml$"> <b>$testHtml$</b> </html> </panel> </row> </dashboard>
@niketnilay, I don't really agree with you that the token value should be escaped in html regardless.
As per Splunk documentation, there is a token filter available in the form of
$token|h$, which will make it secure by escaping html. There are also other filters available for other cases / requirements.
I fully understand if Splunk decided to make html escaping in html panel as a default token filter. However,
$token|n$ filter says
Prevents the default token filter from running. No characters in the token are escaped. and it does not work.
There can be cases, why we may want to apply no filters.
As I mentioned in my question, focus is on pure Simple XML. And actually why the documented feature is not working.