Community

Writing HTML and other < and > tagged content to a feature service

2687
8
11-15-2021 08:00 AM
BruceHarold
by Esri Regular Contributor
Esri Regular Contributor
5 8 2,687
‎11-15-2021 08:00 AM

My ArcGIS Data Interoperability ETL process was going fine but suddenly its ArcGIS Online Feature Service writer threw an error which terminated my workspace, the error message looked like this:

The error code from the server was '400' and the message was: ''. Details: 'Field public_description has invalid html content.

The data is from a local government 311 site - the field public_description is where the public have captured the details of their service request.  How did HTML get in there?  What was invalid about it?  How do I harden my translation to trap this kind of thing?

After a lot of investigation and making a note to self to bring writer rejection handling up with Safe again I found the offending data.  The investigation reminded me of math class when we worked through Isaac Newton's regula falsi method, turning caching on and using two Sampler transformers to bracket the bad guy until I found it.  It wasn't even HTML, it was a bracketed email:  <somebody@hotmail.com>.

OK I thought, its reasonable to put an email in a free text field.  Why is the feature service so finicky about it?

It turns out feature services have a setting (on by default) to cause potentially harmful content to be blocked.  I have a few choices.  If my data really did have HTML content I could percent-encode the field with the TextEncoder and HTML mode, I could manually encode brackets as &lt; and &gt;, I could remove anything in tags with StringReplacer and a regular expression <.*>, or I could switch the service property and let the data through.  Let's say I want this last option.

I need to use an admin REST API call.  The property I need to change is xssPreventionInfo.

To do this, in your browser and logged in as the service owner, go to the Content section in the Home app and navigate to the feature service item.  At bottom right is a control that lets you View the item REST API:

BruceHarold_1-1636991417482.png

Go there in your browser (your URL will of course be different).

https://services.arcgis.com/FQD0rKU8X5sAQfh8/arcgis/rest/services/Get_It_Done_311_Requests/FeatureSe...

To access the admin API insert the word 'admin' between 'rest' and 'services':

https://services.arcgis.com/FQD0rKU8X5sAQfh8/ArcGIS/rest/admin/services/Get_It_Done_311_Requests/Fea...

Then at the bottom of the page go to the UpdateDefinition endpoint:

https://services.arcgis.com/FQD0rKU8X5sAQfh8/ArcGIS/rest/admin/services/Get_It_Done_311_Requests/Fea...

Now search for the xssPreventionInfo property, set the value for xssInputRule to sanitizeInvalid:

BruceHarold_2-1636991693995.png

Click the Update Service Definition button and check it completes OK.  Now you can write HTML and things like <somebody@hotmail.com> to your feature service!

8 Comments
PeterMilenkovic
by
Occasional Contributor
‎10-06-2022 05:09 PM

Ah, wish I found this 4 hour ago! Been trying everything to update features with html formatted field.

BrandonGuo
by
Occasional Contributor
‎04-30-2023 06:15 PM

I got the following error code after clicking "Update Service Definition".  I didn't change "SourceSchemaChangesAllowed", not sure why it pops out this error. 

 

{
  "error" : 
  {
    "code" : 400, 
    "message" : "Unable to update feature service definition.", 
    "details" : [
      "Invalid definition for 'SourceSchemaChangesAllowed'.", 
      "Invalid definition for System.Boolean"
    ]
  }
}
0 Kudos
BruceHarold
by Esri Regular Contributor
Esri Regular Contributor
‎05-01-2023 06:12 AM

Brandon please log a support call.  Thanks.

0 Kudos
AbigailKrump3
by
New Contributor
‎05-03-2023 01:02 PM

Hello receiving same error as @BrandonGuo , has there been any resolution?

0 Kudos
BruceHarold
by Esri Regular Contributor
Esri Regular Contributor
‎05-03-2023 01:32 PM

Hi

Please select all the JSON in the Update Service Definition form and replace it with this:

{
    "xssPreventionInfo": {
        "xssPreventionEnabled": true,
        "xssPreventionRule": "InputOnly",
        "xssInputRule": "sanitizeInvalid"
    }
}

Let us know if it fixes the issue - thanks.

0 Kudos
BrandonGuo
by
Occasional Contributor
‎05-03-2023 03:22 PM

I fixed the issue, by remove "

SourceSchemaChangesAllowed

Seems like this option should only exist on views, but somehow is showing on the host feature service as well. @AbigailKrump3 

0 Kudos
ANRGIS
by
Occasional Contributor
‎12-01-2023 09:56 AM

@BrandonGuo , can you provide more details to

I fixed the issue, by remove "

From where?

BrandonGuo
by
Occasional Contributor
‎12-03-2023 01:15 PM

@ANRGIS Someplace where you update the definition.