I had the problem that the preview component strips all javascript / css when displaying html from inside the application.
Creating a good “stripper” to protect against code in data entries in T-SQL is almost impossible, so I created a “proxy.html” page with javascript to do this job, and to allow for code I want to inject. ( The first <head> tag goes trough, anything in the body tag is stripped. )
There is one small problem and that is that I can’t tell the script where the API is. It is not possible to generate a correct URL which will work in both test and production.
At this moment I have to make 2 api calls, and compare to our application and branch name, and that is an unstable solution, as the call’s I use could change in future versions.
It would be good to know “who am I, whether I’m running over the SF or IAM, what my application Id is, and how is the user calling me” within the T-SQL scripts.
In other environments you have this information; not having the information is a huge limitation.
Another use case would be to set up a table to track which browsers people use … In this context it is not possible.
