MicroStrategy ONE

Disallow Custom HTML and JavaScript in Dashboards, Documents, Reports, and Bots

Starting in MicroStrategy ONE (March 2024), all custom Web content is disabled by default to ensure a secure platform configuration. To enable custom Web content in dashboards, documents, reports, and Bots, see Enable Custom HTML and JavaScript Content in Dashboards, Documents, Reports, and Bots. Although unadvised due to security risks, you can enable custom Web content without auditing and allow custom HTML content. For more information, see Disable Granular Controls of HTML or JavaScript Content in an Environment, which reverts the content behavior similar to MicroStrategy ONE Update 12 and earlier.

If you are upgrading to MicroStrategy ONE (March 2024) from a previous version, see KB486433: HTML Content Settings When Upgrading to MicroStrategy One (March 2024) or Later From Previous Versions.

If you are using the Content Inspector tool with certified objects, see KB486729: Use Content Inspector with Certified Objects.

There are additional settings that control the HTML and JavaScript behavior in Web. For more information, see How to Control the Use of HTML and JavaScript in Web.

You can disallow custom HTML in dashboard to ensure a secure environment. When editing a dashboard, you can display third party Web applications or custom HTML and JavaScript directly in the dashboard, if you have the appropriate privileges.

HTML and JavaScript Content Rendering

You can create HTML and JavaScript content using the following methods:

  • In the Attribute Editor, assign the attribute form as HTML tag. See Attribute Editor for more information.

  • In the Metric Editor, select the checkbox next to Set as HTML content.

  • Insert an HTML container and add HTML text to it. For more information, see Add an HTML Container.

Security Settings and Privileges to Render HTML and JavaScript Content

The HTML and JavaScript content can potentially expose XSS vulnerabilities and is governed by a series of settings and user privileges.

Environment-level Security Settings Starting in MicroStrategy 2021 Update 1

  1. In Workstation, connect to your environment.
  2. Right-click on your environment and choose Properties.
  3. In the left pane, click Security Settings.
  4. In Content Settings, find the Enable HTML and JavaScript content in dossiers toggle.

    • By default, the setting is toggled on. Therefore, HTML and JavaScript content is enabled for all dossiers (renamed dashboards in MicroStrategy ONE (March 2024)).

    • If the setting is toggled off, HTML and JavaScript content is disabled for all dashboards in this environment.

  5. Click OK.

MicroStrategy ONE (March 2024) and Later Environment-Level Security Settings and Upgrade Impact

Starting in MicroStrategy ONE (March 2024), the Enable granular control of HTML and JavaScript content setting replaces the Enable HTML and JavaScript content in dossiers setting. The new setting provides more detailed control over all content types including dashboards, documents, reports, and Bots. It also includes a Content Inspector tool which helps security administrators perform a security check of the content.

  • If the setting is enabled before upgrading to MicroStrategy ONE (March 2024) or later, the Enable granular control of HTML and JavaScript content setting automatically takes effect by default.

    • See the following image of the setting before the upgrade:

    • See the following image of the setting after the upgrade:

  • If the Enable HTML and JavaScript content in dossiers setting was disabled in your environment before upgrading to MicroStrategy ONE (March 2024) or later, the setting is renamed to Enable HTML and JavaScript content in dashboards and no further action is needed. Although, there are behavioral changes after upgrading:

    • Report, document, and dashboard HTML content cannot render.

    • When creating HTML content, ensure you have the Create custom HTML and JavaScript content privilege.

    • See the following image of the setting before the upgrade:

    • See the following image of the setting after the upgrade:

  • If you enable the Enable HTML and JavaScript content in dashboards setting after upgrading to MicroStrategy ONE (March 2024) or later, granular control of HTML and JavaScript content is automatically activated. After exiting Security Settings in Workstation, the setting is automatically updated to the new setting name: Enable granular control of HTML and JavaScript content. This update ensures a seamless transition to the enhanced security and control included in MicroStrategy ONE (March 2024) and later.

  • If you disable the Enable granular control of HTML and JavaScript content setting after upgrading to MicroStrategy ONE (March 2024) or later, the behavior reverts to MicroStrategy 2021 Update 12 and earlier.

    • For best security practices, MicroStrategy recommends that you invalidate all caches after enabling this setting. For more information, see Invalidate All Caches.

Content-Level Security Settings

Starting in MicroStrategy ONE (March 2024), a content-level security setting, Enable HTML and JavaScript content, is introduced at the dashboard, document, report, or Bot level.

By default, the setting is toggled off which means the HTML and JavaScript content is disabled. The content can be enabled after performing content inspection (for more information, see Audit and Allow Custom HTML Content) or at the content level, as shown below.

Edit Content-Level Setting from Object Properties on Workstation

  1. Go to Dashboards, Documents, Reports, or Bots.
  2. Right-click a piece of content and choose Properties.
  3. Click Security Settings in the left pane.
  4. Toggle on or off Enable HTML and JavaScript Content.

  5. Click OK.

Edit Content-Level Setting from Editors on Web Authoring, Library, or Workstation

Report

This option is available in Web authoring.

  1. Open a report.
  2. Click Tools > Report Options....
  3. Click the Advanced tab.
  4. Select or deselect the checkbox next to Enable HTML and JavaScript content.

  5. Click OK.

Document

This option is available in Web authoring and Workstation.

  1. Open a document.
  2. Click Tools > Document Properties.
  3. In the left pane, choose Document.
  4. Select or deselect the checkbox next to Enable HTML and JavaScript content.

  5. Click OK.

Dashboard

This option is available in Web authoring, Library, and Workstation.

  1. Edit a dashboard.
  2. Click File > Dashboard Properties.
  3. Select or deselect Enable HTML and JavaScript content.

  4. Click OK.

    5. If you edit and save dashboard, document, report, or Bot content without the Configure server basic and Configure security settings privileges, the content-level setting will be automatically disabled. If you rename or change the Access Control List of a dashboard, document, report, or Bot, the content-level setting will not change.

MicroStrategy ONE (March 2024) and Later User Privilege Requirements

  • The Create HTML Container privilege is renamed to Create custom HTML and JavaScript content.
  • The Web create HTML container privilege is renamed to Web create custom HTML and JavaScript content.
  • Attribute forms with the HTML tag type and HTML containers can only be added to a dashboard or document if the user has the Create custom HTML and JavaScript content or Web create custom HTML and JavaScript content privileges.
  • Metrics and derived metrics with the HTML data type can only be added if the user has the Create custom HTML and JavaScript content or Web create custom HTML and JavaScript content privileges. Only metrics configured with the HTML data type will render custom HTML content in grids.
  • The environment-level setting, Enable HTML and JavaScript content in dashboards, and the content-level setting, Enable HTML and JavaScript Content, can only be enabled if the user has the Configure server basic and Configure security settings privileges.

User Privilege Requirements Before MicroStrategy ONE (March 2024)

  • HTML containers can only be added to a dashboard or document if the user has the Web Create HTML Container privilege.
  • Project schema attributes with HTML Tag type forms can only be created by users with the Create schema objects privilege.
  • Attributes with the HTML Tag type and text metrics can be created using Data Import and can be added to a dashboard if the user has the Web manage Document and Dashboard datasets privilege, in addition to one of the following privileges:
    • Access data (files) from Local, URL, DropBox, Google Drive, Sample Files, Clipboard
    • Access data from Cloud App (Google Analytics, Salesforce Reports, Facebook, Twitter)
    • Allow data from Databases, Google BigQuery, BigData, OLAP, BI tools
  • Metrics with the data type Text may contain custom markup or code.Metrics with text can be created in a dashboard or document if the user has the following privileges:
    • Create Derived Metrics
    • Web create Derived Metrics and Derived Attributes
  • Project metrics can only be created by users with the Use Metric Editor or Web Use Metric Editor privilege.

Render Rules for HTML and JavaScript Content

HTML and JavaScript only renders when running a report, dashboard, document, or Bot only if it is enabled. If the content is disabled, it is replaced with a warning symbol, displays as raw data, or displays a warning message. In all options, HTML and JavaScript will not be rendered and malicious code will not be triggered.

For example, in the image below, a dashboard contains an HTML container, a bar chart, and a grid. When HTML and JavaScript content is disabled, the HTML container content is replaced with a warning message. The HTML Tag Attribute data and HTML Metric data in the grid are replaced with a warning icon. The HTML Tag Attribute and HTML Metric data on the axis and tooltip of the bar chart display as raw data.

If an owner has the Create custom HTML and JavaScript content or Web create custom HTML and JavaScript content privileges, the owner is able to see the HTML or JavaScript content rendered on the dashboard, document, report, or Bot even if the content is set to disabled.

Disable Granular Controls of HTML or JavaScript Content in an Environment

Starting in MicroStrategy ONE (March 2024), the Enable granular control of HTML and JavaScript content setting replaces Enable HTML and JavaScript content in dossiers

Starting in MicroStrategy 2021 Update 1, custom HTML or JavaScript can be disabled if you turn off the Enable custom HTML and JavaScript content in dossiers setting:

This setting is only available in Workstation.

  1. In Workstation, connect to your environment.
  2. Right-click on your environment and choose Properties.
  3. In the left pane, click Security Settings.
  4. In Content Settings, if you are using MicroStrategy ONE (March 2024) or later, toggle off Enable granular control of HTML and JavaScript content. If you are using a version earlier than MicroStrategy ONE (March 2024), toggle off Enable custom HTML and JavaScript content in dossiers.

    MicroStrategy does not recommend disabling this setting.

  5. Click OK.

Considerations When Turning Off the Enable HTML and JavaScript Content in Dossiers Setting

The following considerations apply to MicroStrategy versions before MicroStrategy ONE (March 2024).

Rendering and Exporting

After turning the setting off, all custom HTML or JavaScript are removed or encoded. The custom code will stop rendering in Workstation and all Web and Mobile clients. HTML containers in dashboards will display the following message:

This content has been disabled. Please contact your administrator.

The HTML Container button disappears from the dashboard toolbar. Users with the appropriate access can edit a dashboard and remove their HTML container but can not add them back.

Grids that previously displayed images, links, or other custom content using attribute forms with the HTML Tag type display a yellow icon with a tool tip that indicates the content is disabled.

The contents of any text metrics are encoded before they display on the grid. Any markup or code displays as raw text in the browser or mobile client. When you export the grid data as a CSV, the rendering behavior is the same.

You can display hyperlinks in grids using attribute forms with the URL type.

You can display hyperlinks in grids in project schemas when editing an attribute form in Developer or you can use the Prepare Data interface in Data Import in Workstation and Web.

You can create dynamic hyperlinks in dashboards if you right-click an attribute in the Datasets panel and click Create Links.

For more information, see Create Dynamic Links in a Grid.

Mobile Caching

After you disable the setting, the change immediately applies to all mobile clients. If a dashboard is open when the setting is disabled, the change applies when the user closes and reopens the dashboard.

History List

After you disable the setting, the change also applies to any content sent to a History List. Custom HTML and JavaScript will not be disabled for History List entries and caches that were created when the setting was enabled. MicroStrategy suggests that Administrators manually delete all History List entries and caches when you disable the setting.

Enable Custom HTML and JavaScript Content in Dashboards, Documents, Reports, and Bots

Use the following steps to enable custom Web content in dashboards, documents, reports, and Bots in MicroStrategy ONE (March 2024) and later.

Invalidate All Caches

To ensure all HTML and JavaScript content is governed by the updated security granular controls, MicroStrategy recommends that you invalidate all caches before allowing custom HTML content. There are multiple methods to invalidate all caches:

Delete Files in the Cache Folder

  1. Locate your cache folder. For example, ${InstallationPath}\Caches\MicroStrategy Tutorial Server\Servertec-w-1174084_PA13890BC11D4E0F1C000EB9495D0F44F\RWDCache, where:
    • tec-w-1174084 is the Intelligence server name.

    • A13890BC11D4E0F1C000EB9495D0F44F is the project ID.

  2. Select the cache files in bulk and delete.
  3. Repeat steps 1-2 for each project.
  4. Optionally, if your environment is in a Intelligence server cluster, repeat steps 1-2 for each node.

Use Workstation

  1. In Workstation Navigation pane, click Monitors.
  2. Click Caches > Contents.
  3. Right-click a cache and select Delete.
  4. Repeat steps 1-3 for each cache and project.
  5. Optionally, if your environment is in a Intelligence server cluster, repeat steps 1-3 for each node.

Use Command Manager

  1. In Command Manager, create a new script file and enter the following content:
    Copy
    DELETE DOCUMENT CACHES IN PROJECT "MicroStrategy Tutorial";
    DELETE REPORT CACHES IN PROJECT "MicroStrategy Tutorial";
  2. Replace MicroStrategy Tutorial with your project name.
  3. Run the script.
  4. Repeat steps 1-3 for each project.
  5. Optionally, if your environment is in a Intelligence server cluster, repeat steps 1-3 for each node.

Use Developer

For details to purge result caches in a project, see Purging all Result Caches in a Project.

Audit and Allow Custom HTML Content

MicroStrategy ONE (March 2024) includes a new Content Inspector tool that reduces friction when you upgrade to new security features and granular controls. The Content Inspector tool allows you to query the entire metadata to find objects that contain custom Web content (via HTML containers or attributes and metrics with the HTML Tag form type), review custom Web content, and approve it by enabling the Enable HTML and JavaScript content option on each object or in bulk. Only dashboards, documents, reports, and Bots that have the Enable HTML and JavaScript content option enabled by a security administrator will render custom Web content. This setting mitigates security risks associated with custom HTML and JavaScript that execute when users edit or consume content.

After upgrading to MicroStrategy ONE (March 2024) or later, MicroStrategy strongly recommends that you use the Content Inspector to scan HTML content in your environment and enable HTML and JavaScript on demand.

When you use the Content Inspector for the first time, all HTML content is disabled in your environment.

  1. In Workstation, go to Environments.
  2. Right-click an environment and choose Open Content Inspector.

  3. You can inspect the content from the current view.

    4. You can filter the objects by Content Type or other criteria in the Filter panel.

  4. Right-click an object and choose Inspect.

  5. The detailed HTML content in this object appears.
  6. Click Open Dashboard to open the object and check the HTML content.

  7. Click Enable or Disable to enable or disable the HTML content.

    8. If a green checkmark appears next to the object, the HTML content is enabled. If there is no checkmark next to the object, the HTML content is disabled.

  8. To bulk enable or disable HTML content for object:
    1. Click the checkbox next to each object.
    2. Right-click a selected object.

    3. Choose Enable HTML and JavaScript Content or Disable HTML and JavaScript Content.

Trigger Content Inspector at the Object Level

  1. In Workstation, go to Dashboards, Documents, Reports, or Bots.
  2. Right-click a piece of content and choose Properties.
  3. Click Security Settings in the left pane.
  4. Click Inspect.. next to Enable HTML and JavaScript Content.

  5. Content inspection appears.
  6. Select an object and click Enable or Disable to enable or disable HTML and JavaScript content.