This field is required.
Only these extensions are allowed(.jpg, .JPG, .jpeg, .JPEG, .gif, .GIF, .png, .PNG)
Tags cannot contain the characters ' /, \\, #, ?, or ; >,< '
Only these extensions are allowed(.zip,.ZIP,.pdf,.PDF,.qvf,.QVF,.qvw,.QVW)
Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team
A document sheet can have buttons, which in turn can have associated Actions.
These Actions can be of several types, but there are two in particular which have been disabled in the Internet Explorer Plugin due to security concerns:
See QV-20715: Remote Code Execution RCE. QvPlugin IE for QCS
To benefit from the security fixes the Internet Explorer plugin need to be updated.
After an update, the disabled features can be re-enabled (not recommended). Environment:
QlikView April 2020 12.50 SR1QlikView April 2019 12.40 SR4QlikView November 2018 12.30 SR5QlikView November 2017 12.20 SR11QlikView 11.20 SR21
A new switch has been added to re-enable these functionalities. Please, consider that this is a security risk. The setting needs to be changed on each individual Internet Explorer Plugin installation.
Is there any other option to get this functionality back (starting a external program) without the setting mentioned in this post (but with security hints for the user for example)?
Kind regardsPeter Hübschen
Once the Plugin and/or Desktop have been upgraded with the fix, regaining the functionality will require the documented workaround.
Hello @Sonja_Bauernfeind ,
I've encountered another problem with this patch. We're using a straight table chart in all of our dashboards to link to the dashboard documentations, which are hosted on a (internal) wiki-site. This doesn't work anymore.
It's not button related but I think in the background the same procedure is called. I think it would be useful if this information was provided too.
But I think Qlik should reconsider this patch, because useful use cases are broken - in my opinion.
"meta_Doku_Link" is like "<url>http://..."
@Sonja_Bauernfeind Could you detail what are the "security risks" of including a controlled link in a QlikView panel? It is a basic feature that any program should support, please detail.
Hello @glacoste ,
after all what I've read and what the fix does whose provided by Qlik, I think the security risk is a global one.
I think the set-up is something like this:If you open a QlikView-dashboard from a foreign site with Internet Explorer in plugin-mode, there could be a link to a website with malware or behind a button is a execution of a malware program, to gain access to your local system. ActiveX and Internet Explorer was never a truly secure combination.
It's too bad that Qlik simply cut off this functionality. I would find it better if you could define secure site-addresses where this functionality is still working (like a intranet-sites) and if a site is not on this list there would be a warning message, that this functionality is not availaible or something.
@glacoste @peterwh summarized this nicely! I checked with our Product Team to confirm 🙂
As for the functionality having been switched off and the suggestion that you raised, @peterwh: These are great suggestions! I'd recommend that you hop over to our Ideas forum and leave this feedback there as an idea/Feature Request. This will help our developers understand use cases and highlights your needs as a customer.
I just checked with the latest QV12.50SR2 Release and hyperlinks in tables are disabled.
Here a screenshot how an enduser can change it back to the old behavior manually.
but if you do that the security fix is disabled! As I said it's bad that all hyperlinks are disabled, if you want to use the security fix.
@peterwh : Totally agree. But I can't change the current release. Therefore I posted the screenshot - may it help some enduser. At least you don't have to edit it manually in some settings.ini