Sanitizing input with Flow

Sanitizing input with Flow

Sanitizing input from users can be really important when creating or updating sites. In a recent scenario I had to create some sort of self-service site creation with a form of approval. I resorted to Flow to handle the approval and notify and send out reminders to make sure the business process was aligned. I used the PnP provisioning framework and Mavention Make to then process the request and create the actual site based on the required template. However when we started testing it turned out that without sanitizing the user input there where some weird cases.

Some characters are more special than others

When you create a new Site Collection or Group some characters are not allowed. Now in the new UI some of these characters are not allowed, while others are allowed but stripped out of e-mail and URL and a few are allowed. For instance if you create a group you will quickly find out that the / is not allowed as a Site name.

Unavailable characters in groups

Yet when you create a communication site you will see that the / is allowed as a Site name 

Unavailable characters in groups

Now for a developer this does somehow makes sense as the group creates an e-mail alias (something that does not like a slash), but it does feel confusing. For an end-user creating sites through a request form that might service both it definitely does not make sense.

Different ways of handling special characters

Now when you create a group or site based on this behavior imagine the following scenario. I request a site called The Big +. This site gets approved and created as an O365 group. So the site name contains the plus, the alias and URL do not get that plus as it is stripped out. 

Site creation form 

Keep in mind that your original request logs the original site name for future use. Now if you ever want to update the permissions in the group you will quickly find out that the groups that where created also do not have plus sign. Instead of stripping out the plus value like the e-mail alias does the SharePoint groups that get created will replace the plus sign with an underscore:

SharePoint Group settings

So now you have two different ways your special characters gets handled.

In addition when a user would request a group or site and adds a space at the end of the title it gets trimmed nicely from the alias, the URL and the title. However you have a space in the initial Group Name and thus retrieving the group based on that name will not return any matches.

Sanitizing input with Flow

Obviously this is not new behavior and there are countless blogs explaining why you should sanitize your users input. Luckily for us it is really easy as we are already using flow. Just create a new parameter to store the Sanitized Value of type string. In our case we will make sure the title of the site request will be sanitized.

Flow step 1: Create new variable 

The second step would be to define all the characters that we want to strip out so we end up with a string that can be processed accordingly. Storing these characters can be done by adding a new array so we can process them easily. A new array can be created using the following snippet:

createArray('&','_',',','.',';',':','/','"','"','!','@','$','%','^','+','=','\','|','<','>','{','}','#','~','*','?')

Flow step 2: Sanitizing input character array

When you have the array in place the next step is to loop through that array using the Apply to each using the output of the replacableCharacters. In the foreach the first step is then to use the replace function to replace the character with the value of your choice. I ended up just replacing with an empty value, but you are free to replace with an underscore or other value. Use the following snippet to replace in a ‘Compose’ step.

replace(variables('sitetitleSanitized'),item(),'')

If the value is replaced you can match the Output of the new Compose action and match it to the sitetitleSanitized variable . If there is no match you can set the sitetitleSanitized variable to output of the compose (and thus apply the change to the parameter).

Flow step 3: Sanitizing input by replacing values

Once you have looped through each special character you are assured that all these special characters are replaced with the value of your choosing. By doing so you are ensured that you won’t have inconsistent behavior in your site creation process. So another day another Flow to the rescue!

Leave a Reply