sqlFormLetters and Cross-Site Scripting Errors

More people are upgrading to the newer versions of PS during summer and are coming across the Cross-Site Scripting error.  I've documented what to do if one comes across it with sqlReports, but I've been getting emails recently from users of sqlFormLetters who are running into the issue as well.  The issue isn't with the sql part of the letter, but instead with the header and footer area, and mainly with style commands.  This blog post does not apply to the free version, sqlFormLetters Lite.

If you're not familiar with the cross-site scripting error, you'll want to check out KB Article 79956 on PowerSource, as well as this forum thread that appeared prior to the KB article.  But basically there are certain commands that follow a < in a field box that have been whitelisted and allowed.  If you try a command that's not allowed, an error appears that will suggest you put a space after the <, which will allow the data to be saved, but rarely helps when it comes to executing the command you wanted to use.  

A command that is very popular in the header and footer area of sqlFormLetters is the <style> command, however, that command is not on the whitelist and trying to use it in the header or footer box will give the cross-site error when you try to save the letter.   Adding a space and turning it into < style> does not trigger the error, but it also makes the command useless.  There are currently three workarounds:

  • if you're only changing some font styles, you can use a font style command instead like so:  <font style="font-size:10px; font-family: Arial"> Your text here </font>.
  • If you're doing more with the styles than just basic font changes, you can create a custom letter and place all the style commands and the header and footer onto the custom letter and not use the header and footer boxes in the user interface. 
  • There's a workaround that involves editing some sqlFormLetter files and then in the header and footer boxes you just need to place chr(60) in place of the offending <, such as chr(60)style>.  I'll add the change to a future release, but until then, if you want to try this approach, please email me.  I don't want to write out the instructions in a blog post since sqlFormLetters is a premium download.