KB484127: Securing PDF and Excel Export with Whitelists

• Strategy

This article explains the new whitelist feature available for exporting content to PDF or Excel.

Starting with the release of Strategy ONE (March 2024), dossiers are also known as dashboards.
Several Strategy products allow to export information to PDF and to Microsoft Excel. For flexibility, Strategy allows you to export content from various locations, some of which can be specified by a URL. For example, an attribute form may contain a URL that specifies the location of an image. The image is fetched during the export process and placed in the PDF output at the appropriate location. Similarly, the output can be customized using HTML containers where URLs represent the content to be included in the export.
As a result of a recent security analysis of Strategy's exporting features, Strategy's Technology Team determined that additional protection should be provided to restrict the locations used to source content for exported items.
As of Strategy 2020 Update 1, administrators can specify which URLs or URL paths are permitted when fetching content to be included in an export. This concept, where only certain URLs are permitted, is largely referred to as whitelisting.

What is a whitelist?

A whitelist is a list of trustworthy items. In this instance, Strategy is asking you to specify which locations are allowed to be accessed when retrieving content to be placed in an exported PDF document or Excel workbook.
Each whitelist entry must be a URL or URL path that specifies one or more allowable locations to source images or other content when exporting an item to PDF or Excel.
The administrator must provide the allowed URLs or URL paths in Strategy Web Preferences. For steps, see the Web Admin Guide. See below if you are using MicroStrategy Web ASP.

How does a whitelist work?

When a dossier, report, or document is exported, any content specified by reference through a URL is checked against each URL in the whitelist to determine whether it is a permissible target location.
If the URL is permitted by any of the specified URLs in the whitelist, then the information is retrieved. The wildcard character (*) is allowed in the whitelist as part of the URL. This allows you to have one URL in the whitelist that encompasses many target URLs.

What should I include in my whitelist?

Certain URLs typically used by the Strategy product are included by default. This includes the default locations for maps, images, visualizations, etc. When adding your own URLs, take the following information into consideration:

Relative paths are case sensitive.
Include URLs external to your own domain where you know content is required.
Avoid specifying the URL of the local machine where the Strategy product is running.
If you must use the local Strategy server machine to host content, specify the exact location on the machine for the content.

For example, if you want to place an image in a particular location on the Strategy server, use the URL https://my_machine/images so only the images folder can be accessed.

A relative path, such as ./images/, can be specified. This specifically accesses a resource in the Intelligence Server installation folder, < Install_Path>/images.

Additional Step for Strategy Web ASP Customers

As a part of Strategy 2020 Update 1, Web ASP users must also download and run the Strategy 2020 Patch Installer. The installer provides the ability to set security preferences in Web ASP for securing your data.

Prerequisites:

Ensure Strategy 2020 Update 1 is installed on the machine running the Strategy 2020 Patch Installer.
Ensure Strategy Web ASP is installed on the machine running the Strategy 2020 Patch Installer.

How to run the Strategy 2020 Patch Installer

Download the Strategy 2020 Patch Installer from the Download Site.
Unzip the file.
Run the
```
Strategy2020PatchInstaller.exe
```
file.
Follow the dialog screens. Keep in mind, that other patch fixes may be applied to applicable Strategy products that are installed on the same machine.
Click Finish when the installation succeeds.

Once you have completed installation, click here to see steps on how to use the new whitelist feature for exporting.

Comment

0 comments

Details

Knowledge Article

Published:

March 17, 2020

Last Updated:

March 31, 2025

What is a whitelist?

How does a whitelist work?

What should I include in my whitelist?

Relative paths are case sensitive.

Include URLs external to your own domain where you know content is required.

Avoid specifying the URL of the local machine where the Strategy product is running.

If you must use the local Strategy server machine to host content, specify the exact location on the machine for the content.

For example, if you want to place an image in a particular location on the Strategy server, use the URL https://my_machine/images so only the images folder can be accessed.

A relative path, such as ./images/, can be specified. This specifically accesses a resource in the Intelligence Server installation folder, < Install_Path>/images.

Additional Step for Strategy Web ASP Customers

Prerequisites:

Ensure Strategy 2020 Update 1 is installed on the machine running the Strategy 2020 Patch Installer.

Ensure Strategy Web ASP is installed on the machine running the Strategy 2020 Patch Installer.

How to run the Strategy 2020 Patch Installer

Download the Strategy 2020 Patch Installer from the Download Site.

Unzip the file.

Run the

Strategy2020PatchInstaller.exe

file.

Follow the dialog screens. Keep in mind, that other patch fixes may be applied to applicable Strategy products that are installed on the same machine.

Click Finish when the installation succeeds.

Once you have completed installation, click here to see steps on how to use the new whitelist feature for exporting.