Dynamics 365 portals: JavaScript as Web Files

With a lot of the previous posts about liquid there has been a lot of JavaScript involved as well. We have referenced JavaScript libraries on CDN’s (Content Distribution Networks) as well as wrote JavaScript inline in Web Templates. You may not want to use CDN’s and even package your own JavaScript into minified files so that they can easily be reused elsewhere. Out of the box Dynamics 365 portals is blocked from uploading JavaScript files as Web Files, but we can makes some changes to allow JavaScript files to be allowed as Web Files.

If you sign-in to the Dynamics 365 portal as an administrator and create a new child file with a .js file as the attachment it will seem that it will work as expected but when you browse to that new web file URL you will be presented with a blank screen. If you look at your browser tools you may notice that the portal actually returned a HTTP 404 (File Not Found) error. But in this case it does not redirect you to the standard Page Not Found portal page. So what happened? The portal seems to know the URL (or route) of the file I uploaded but isn’t showing any of the content. If you navigate to the back-end CRM and go to the Portals > Web Files entity, you will notice your Web File is infact there, but when you open it you may notice its missing your Note record with an attachment.

Web Files utilize notes (annotations) to store the actual file that will be surfaced with the Web File. If you try now creating a note with your attachment the issue will be revealed that the attachment was blocked due to “the attachment is not a valid file type”.

The standard Dynamics 365 configuration is set to block all file attachments with the file extension .js. This is due to security concerns that the JavaScript could be used to execute code within your CRM that causes unsafe actions or potentially even remotely accesses other services, all depending on the JavaScript code. The JavaScript code you likely want to use with the portal though is not a security risk to the CRM but we do need to be cautious as to not create a security hole for all the other CRM users.

First let’s change the allowed file types for CRM so that we can upload a JavaScript file. Navigate in CRM to Settings > Administration, then select System Settings. On the General tab find the Set blocked file extensions for attachments and within this long list locate js and remove it and the trialing semi-colon. Select OK to save the System Settings.

Now if you navigate back to Portals > Web Files, locate your previously created Web File without the note attachment and now try creating a note with an attached JavaScript file it will successfully create the note. If you now navigate on the portal to the Web File URL you should either see the JS content or the browser will prompt you to download the JS file. If you also now try to create a new Web File from the front-side editor tools in the portal this will also now operate as expected.

You can now reference this JavaScript Web File like any other JavaScript file in your Web Templates or elsewhere.

<script src="/path/name-of-file.js"></script>

Once you have uploaded your JavaScript files being your own JavaScript or libraries like chart.js or fullcalendar.js or the many other libraries, you should revert the System Settings to again block the .js file type to remove any security risk of your end users accidentally uploading malicious JavaScript code. Just navigate to Settings > Administration, open System Settings and within the Set blocked file extensions for attachments, add back the js extension with a semi-colon if not the last item.

2 thoughts on “Dynamics 365 portals: JavaScript as Web Files”

  1. This is great thanks.

    Do you have any insight into surfacing the Notes > Attachments that you can associate in the Knowledge Article timeline inside Engagement Hub with the portal KB template? We need to find a way to add attachments to KB articles on the portal….It’s a big blocker for many implementations.

    As the Article template doesn’t use an entity form, there’s no way to add a timeline view and add annotations permissions to expose the Notes and attachments.

    Any help would be MUCH appreciated.

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *