web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / XSS injection - Power ...
Power Pages
Suggested Answer

XSS injection - Power pages WebApi

(1) ShareShare
ReportReport
Posted on by GC-29041533-0 2
Hello,
 
how do you detect and prevent XSS injections by users in Power Pages?

I use the Web API to insert and update data. This means a user could intercept my request and inject script code.

Do you use any specific libraries?
 
 
Thank.
Categories:
Power Apps portals
Security
I have the same question (0)
  • Suggested answer
    Haque Profile Picture
    Haque 3,188 on at

    Key points and tools you can ware about:

    Power Pages Web Application Firewall (WAF): Power Pages includes a Web Application Firewall feature that can be enabled to automatically block common script injection attempts in Web API calls. It applies default rules that detect and reject payloads containing script tags or suspicious HTML content. Enabling WAF is highly recommended as an extra layer of protection in production environments. Configure here. Also, you can check this one.

    Input Validation and Sanitization: Always validate and sanitize user inputs both client-side and server-side. Use server-side validation via Dataverse business rules, plugins, or Power Automate flows to check for malicious content before saving data. On the client side, avoid inserting user input directly into the DOM using innerHTML. Instead, use safe methods like textContent or proper encoding.

    Content Security Policy (CSP): Power Pages supports configuring CSP headers that restrict which scripts can run on your pages, helping mitigate XSS risks by limiting allowed script sources. Let's check here.

    No Specific Built-in Libraries for XSS Sanitization: Power Pages does not provide a built-in JavaScript library specifically for XSS sanitization. You can integrate popular open-source libraries like DOMPurify in your custom scripts if you need advanced client-side sanitization.

     
    I am sure some clues I tried to give. If these clues help to resolve the issue brought you by here, please don't forget to check the box Does this answer your question? At the same time, I am pretty sure you have liked the response!

     

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the April Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
Valantis Profile Picture

Valantis 58

#2
11manish Profile Picture

11manish 49

#3
Haque Profile Picture

Haque 28

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans