Microsoft's best practices for building custom visuals in PowerBI
Power BI enables developers to build their own custom visuals, and to visualize their business metrics the way they want them to be.
As a developer of custom visuals, you need to be aware of the security implications and take steps to make sure your visuals are as secure as possible.
Here are a few of the common web-based threats you should be aware of:
Malicious infected files
Power BI infrastructure and iframe sandboxing, along with today's browsers security, blocks most malicious attacks, but there are several precautions you can take to increase security even more.
Before building a custom visual, you should consider the quality and popularity of packages and libraries you want to utilize.
Although there’s no strict policy about importing 3rd party vendor's libraries, we still review all packages before approving them.
There could be many security issues for an unknown package, so it’s worthwhile to use Microsoft's recommended packages, such as D3, for creating graphics and charts, or Bootstrap if you want a modern CSS look and feel.
To install external libraries onto a custom visual, please visit the following link for more information:
Before publishing a custom visual, we recommend reviewing the resources it includes.
Following the guidance in the following sections will help keep your visual as safe as possible:
Do not use local resources that might disclose private information about you, your organization, or anything that's not specifically related to the Power BI visual.
Try not to keep TODO tasks as comments inside the code, these can be viewed when debugging the visual at any point from the browser.
Do not accept user input as a resource. For example, if you provide a set of colors to choose from, make sure to provide an element with hardcoded values, or values that came from your resource file. Do not let the user type the name of the color as a free text. Although programmatically this is possible, it requires a more robust input validation so it won't be bypassed, possibly causing a Code Injection or an XSS
When running a custom visual, inspect the network requests it sends and gets.
We recommend that developers keep control of their visuals’ network traffic and any external resources they consume.
PowerBI contains each custom visual in a secure sandbox of its own,
This structure provides the necessary data isolation on the client side from one visual to another.
If you want to add content to an element inside a visual please use the proper DOM API for it, for example: .append, .setAttribute, element.TextContext, element.text, etc....
We recommend using the D3 library, since D3 was tested and is very popular, it is safer to set and get user input with.
When you use the D3 and the DOM API correctly, there is no need to perform vast input escaping - the browser API makes sure user input resides between the text apostrophes, rendered as text and not as HTML Markup, eliminating the risk of code injection and XSS attacks.
Examples how to use D3 in a custom visual are found in the following location: