Sanitize HTML Input Before Dataverse Save
Before saving user-submitted HTML content to Dataverse, strip tags via Content Conversion to prevent XSS and ensure data cleanliness.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
Sanitize HTML Input Before Dataverse Save is a security-focused flow that intercepts new records containing user-submitted HTML content in a Dataverse table, strips all HTML tags using the Content Conversion connector, writes the sanitized plain text back to the record, and sends a notification email when content was modified. This prevents stored XSS attacks and ensures data cleanliness across any Dataverse-backed application.
Use Case
Any organization collecting rich text or HTML input from users — via Power Apps portals, custom forms, or third-party integrations — risks storing malicious scripts or broken markup in Dataverse. This flow acts as an automated sanitization layer: every new record is checked, cleaned, and logged without manual intervention. IT admins and developers can deploy it against any table simply by updating four environment variables.
Flow Architecture
When a Row Is Added to HTML Content Table
Dataverse — When a row is added (webhook trigger)Fires whenever a new row is created in the table specified by the flowlibs_DataverseTableName environment variable. Uses scope = Organization.
Initialize Variable – Table Name
Initialize variableStores the Dataverse table logical name from the env var into varTableName for use in dynamic expressions.
Initialize Variable – HTML Source Column
Initialize variableStores the source column logical name from env var into varHTMLSourceColumn.
Initialize Variable – Sanitized Output Column
Initialize variableStores the output column logical name from env var into varSanitizedOutputColumn.
Initialize Variable – Notification Email
Initialize variableStores the admin notification email address from env var into varNotificationEmail.
Compose – Extract Raw HTML Content
ComposeDynamically reads the trigger output using triggerOutputs()?['body']?[variables('varHTMLSourceColumn')] to extract the raw HTML from the correct column.
Convert HTML to Plain Text
Content Conversion — HtmlToTextPasses the raw HTML through the HtmlToText operation, which strips all tags, decodes entities, and returns clean plain text.
Compose – Sanitized Text Output
ComposeCaptures the plain-text result from the conversion step.
Check If Content Was Modified
If conditionEnvironment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_DataverseTableName | String | cr649_htmlcontentsubmissions | Logical name of the Dataverse table to monitor for new HTML-containing rows. |
| flowlibs_HTMLSourceColumn | String | cr649_htmlcontent | Column containing raw HTML input from users. |
| flowlibs_SanitizedOutputColumn | String | cr649_sanitizedcontent | Column to write the sanitized plain text output. |
| flowlibs_NotificationEmail | String | alerts@yourcompany.com | Email address notified when content is sanitized. Set this to the admin or distribution list that should receive audit alerts. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Microsoft Dataverse | shared_commondataserviceforapps | When a row is added (trigger (webhook, scope = Organization)) Update a row |
| Content Conversion | shared_conversionservice | HtmlToText |
| Office 365 Outlook | shared_office365 | Send an email (V2) (notification email) |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Import the solution
- Import the FlowLibsSanitizeHTMLInputDemo solution into the target environment.
- Update the four environment variables
- Set Dataverse Table Name, HTML Source Column, Sanitized Output Column, and Notification Email to match your target table schema and the admin or alias that should receive sanitization audit emails.
- Configure connection references
- Map each connector — Microsoft Dataverse, Content Conversion, and Office 365 Outlook — to valid connections in the target environment.
- Turn on the flow
- Change the flow state from Stopped to On. No hardcoded identifiers exist in the flow; everything is parameterized through environment variables, so it is fully portable.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Dynamic column access
Reads the HTML content from whichever column the env var specifies, so the flow works against any table without code changes.
EXPR.02Dynamic record ID
Constructs the primary key column name dynamically (e.g., cr649_htmlcontentsubmissionsid) from the table-name env var.
EXPR.03Dynamic column update key
Used in the Update a row action to write to the correct output column dynamically via an expression-based parameter key.
EXPR.04Content comparison (condition)
If the raw HTML equals the sanitized output, no tags were present and no update is needed.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.