Use of macros in an HTML template
Caution must be exercised when embedding macros in HTML templates
to avoid introducing cross-site scripting vulnerabilities to the Verify Identity Access environment.
Use the following guidelines when embedding macros:
- URL macros may be safely used as HTML text. To use a macro as
HTML text, embed the macro between HTML tags. For example:
<b>%URL%</b> - URL macros may be safely used as HTML attribute values for HTML
attributes, but only for attribute values that are intended for use
with URLs. When using macros as HTML attribute values, the macro must
be surrounded by double or single-quotes. For example:
<a href="%URL%">clickable link</a> - URL macros may be safely used as JavaScriptâ„¢ string values, but must be
surrounded by double or single-quotes. For example:
var url = '%URL%'; - Non-URL macros may be safely used as HTML text. To use a macro
as HTML text, embed the macro between HTML tags. For example:
<b>%USERNAME%</b> - Non-URL macros may be safely used as HTML attribute values, but
only for attribute values that are NOT intended for use with URLs.
When using macros as HTML attribute values, the macro must be surrounded
by double or single-quotes. For example:
<input type="text" name="user" value="%USERNAME%"> - Non-URL macros may be safely used as JavaScript string values,
but must be surrounded by double or single-quotes. For example:
var user = '%USERNAME%';