Cross-Site Scripting and Extension Security

As a developer of dashboard extensions, there are certain precautions you should take and best practices you can follow to help ensure that your extensions are secure. A dashboard extension is a web application that runs inside the Tableau dashboard, and as a web application, your dashboard extension could be vulnerable to cross-site scripting (XSS). Cross-site scripting is an attack where a malicious user injects client-side code (typically, JavaScript) to execute in your web application. When other users load the web pages of your extension, the attacker’s scripts can run, potentially stealing information or redirecting the browser to another web page.

In this section

Basic steps toward preventing XSS

If your dashboard extension accepts text input from users through forms or text boxes, you will want to ensure that you aren’t accidentally introducing vulnerabilities. The best prevention for XSS attacks is to validate and encode any user input. There is a lot of good information available on the web for developers about how to protect web applications from attacks. For example, see Cross Site Scripting Prevention Cheat Sheet from the Open Web Application Security Project (OWASP).

Key points:

Additional proposals for prevention

// Instead of linking to libraries on the web:
<script src=""></script>

 // Link to libraries on the local host:
<script src="./library.js"></script>

For more information, see