漏洞
Arcade expression converts to octothorpe (#) in the pop-up configuration if it is added to a hyperlink.
| 漏洞 ID 编号 | BUG-000141008 |
|---|---|
| 已提交 | June 25, 2021 |
| 上次修改时间 | February 14, 2025 |
| 适用范围 | Portal for ArcGIS |
| 找到的版本 | 10.8.1 |
| 操作系统 | Windows OS |
| 操作系统版本 | N/A |
| 状态 | As Designed |
附加信息
This is as-designed. Both ArcGIS Enterprise and ArcGIS Online have HTML sanitization logic in place to clean untrusted elements and strings of HTML. This is to prevent cross-site scripting and protect the system and user. In this case, the HTML href element does not contain a trusted protocol and the resulting link is intentionally sanitized (resulting in a link that does not work). The HTML sanitization logic trusts the "arcgis-survey123" protocol, but in this example, it is not defined explicitly via the HTML string, it is constructed via the underlying arcade expression. Refer to the workaround to revise the arcade expression and href HTML string.解决办法
The workflow works with the following updates: 1. Update the return statement within the arcade expression to... return UrlEncode(params)+coordinates+callback; 2. Update the pop-up HTML string href to... href="arcgis-survey123://{expression/expr0}&field:esa={esa}"
重现步骤
漏洞 ID: BUG-000141008
软件:
- Portal for ArcGIS
当漏洞状态发生变化时获得通知
发现关于本主题的更多内容
搜索相关信息
查找与此主题相关的培训
探索想法并提供反馈
获取来自 ArcGIS 专家的帮助
下载 Esri 支持应用程序