Skip to content
Patient Copilot Help Center

HTML Editor Security Validation

Overview We’ve added security validation to the HTML Code Editor inside: - Forms - Surveys - Quizzes This update prevents unsafe JavaScript from being saved. It protects accounts from: - Cross-site scripting (XSS) - Cookie theft - Token/session hijacking - Account takeover attempts If unsafe code is detected, the system blocks the save action and displays an error message. ## How It Works When editing custom HTML: 1. Open Form / Survey / Quiz Builder 2. Add an HTML element 3. Click Edit HTML 4. Enter your code The editor automatically scans the code in real time. If a security issue is found: - A red error message appears below the editor - The Save button is disabled - You must remove the unsafe code before saving * * * ## What Is Blocked The editor blocks high-risk JavaScript patterns that can expose sensitive data. ### 1. Accessing Cookies Blocked: Also blocked: Cookies may contain authentication data. Accessing them can lead to account compromise. * * * ### 2. Using eval Blocked: eval executes arbitrary strings as code and can be used to hide malicious scripts. * * * ### 3. Using new Function Blocked: This dynamically executes string-based code and poses the same risks as eval. * * * ### 4. Using setTimeout With a String Blocked: Allowed: Passing a string causes the browser to evaluate it as code. * * * ### 5. Using setInterval With a String Blocked: Allowed: * * * ### 6. Reading From localStorage Blocked: Reading from localStorage may expose sensitive session or authentication data. Allowed: * * * ## What Is Allowed The following are not blocked: - Standard HTML - Safe JavaScript logic - Arrow functions - Function references in timers - Writing to localStorage - sessionStorage usage * * * ## Important Notes - Detection is case-insensitive (eval, EVAL, etc.). - If the same issue appears multiple times, only one error message is shown. - Empty HTML fields are allowed. - Pure HTML (without scripts) is allowed. * * * ## If Your Code Is Being Blocked To resolve the issue: - Remove any direct cookie access - Avoid eval or new Function - Use function references instead of string-based timers - Do not read authentication or session data from localStorage