In this section
If your dashboard extension accepts text input from users through forms or text boxes, you will want to ensure that you aren’t accidentally introducing vulnerabilities. The best prevention for XSS attacks is to validate and encode any user input. There is a lot of good information available on the web for developers about how to protect web applications from attacks. For example, see Cross Site Scripting Prevention Cheat Sheet from the Open Web Application Security Project (OWASP).
/. For example, use entity names or numbers
>for the greater than character
Set the Content-Security-Policy (CSP) property for your web pages. See Content Security Policy (CSP).
<script> alert("XSS attack")</script>
// Instead of linking to libraries on the web: <script src="https://cdn.example.net/library.js"></script> // Link to libraries on the local host: <script src="./library.js"></script>
For more information, see https://github.com/tableau/extensions-api/issues/103