Well, that was fast. My latest add-in is published. Excel Send to Trello.
As per my previous post, the thing I found most interesting was how Excel full client seems to fail if you configure your server .htaccess file to prevent caching. Well, I found out that my Outlook Send to Trello add-in actually had the same problem too. The Outlook client just happened to refresh this morning and my icon disappeared there too. In Office online it seems to work, but in the full client you cannot seem to force the client to NOT cache. I see my files all pulled down locally in the Wef folder and my concern is that when I update the add-in it will not go get the latest every time… I have actually seem and beat my head over this problem a few times. But the solution there for anyone working on a BETA site for example making changes and all of a sudden the full-client stops refreshing your updates, this is a good article to keep handy.
But when Wef strikes in production, I have found customers are not so excited to blow away this folder and find all their add-ins, preferences, stored cached credentials and other goodies for each and every add-in are gone. Ergo why I added the no-cahce to the .htacess. Oh well. š
Also, just to share something else as I am delving more and more into publishing add-ins for real. As an Office Developer, in the traditional sense (aka boomer š, VBA/VSTO/COM), there are aspects of living in an HTML web world that I still learning (although this is an old one it comes up now and again because I forget something).
You have to worry about various attack vectors and sanitizing HTML strings. There are LOTS of libraries and solutions out there and Mozilla even has documented a possible standard supported in several browsers, but not all. It is a tricky thing because some sanitizers do too much or not enough, and then you also rely on a dependency which has now burned me more often than just owning things that might be a hundred lines of code for my own common library of goodies.
So, I have created my own based on various library implementations, and found the best option is to escape most of the stuff you find “injected” rather than remove it.
The important thing is that in the web world, anytime you take data from one service to another, or take input in a field, or grab input from some element on a page and insert it back into another element in your code, there is a hack waiting to happen if you do not sanitize.
I would highly recommend using DOMPurify (https://github.com/cure53/DOMPurify) for HTML sanitization
I would highly recommend DOMPurify (https://github.com/cure53/DOMPurify) for HTML sanitization
I came across it before in posts trying to find answers. I shunned it and most NPM libraries in the past because I have had things pulled from stores for using libraries that were or had dependencies that were flagged for security vulns. One problem with node_modules I guess. I like to write code, and move on until I want to come back to it… I want to own it, not it own me. But the more code I put out there, the more my projects own me and my time (to keep them up to date, deal with bugs and… vulns).
But with DOMPurify looks promising… especially since I can link to a CDN externally – all the better (not embedded in webpack). So, I like that. It looks fully configurable too. I will check it out.
Thanks!