Cross-Site Scripting (XSS) Protection

Applies to: VisualSP Classic
Print Friendly, PDF & Email

With the availability of the update we now provide cross-site scripting protection. These instructions describe how to disable preview from the edit help item screen and the analytics screen using a Powershell cmdlet. 


In order to facilitate the preview of a yet unsaved help item we pass the link property along the query string. Depending upon the viewer type, the query string could be rendered in such a way that a malicious user could use it to perpetrate a XSS attack.  

Similarly, the analytics pages may provide the ability to preview a help item using the link property even if the original item may no longer exist. By disabling the preview feature the XSS vulnerability is no longer present. 


  1. Deploy the solution. 
  1. Open the SharePoint Management Shell 
  1. Run the following command: 

Set-VisualSPSettings -DisablePreview $true 

Expected Results

Go to Site Settings -> Manage VisualSP Help Items

Edit a Help item.



For Analytics, go to Site Settings -> View Analytics Report



Updated on October 17, 2018

Related Articles