DashHub External content
The external content tile in DashHub allows you to embed images, videos, or content from external tools and websites such as Power BI, Tableau, PI Vision, P&IDs, 3D CAD models, and more into dashboards.
As a system administrator, you can control which external content is allowed to be embedded through the External Content configuration page in External Content. From this page, you can define and manage the list of allowed domains that DashHub users can use in external content tiles.
Validation rules for allowed domains
Domain
Wildcards are supported only for subdomains, not for the top-level domain (TLD) or root domain.
Allowed: https://*.trendminer.com/
Not allowed: https://trendminer.*/
The wildcard must appear at the beginning of the domain and be followed by a dot. For example, *.example.com is valid, but *example.com is rejected. This ensures the wildcard cannot create broader matches than intended.
Path restrictions
You can restrict embedding to a specific path within a domain.
https://trendminer.com/policies/* allows all URLs within the /policies path.
https://trendminer.com/policies*/ is not allowed because wildcards are only supported at the end of the path, not within it.
Specific page restrictions
You can restrict embedding to a single, specific page.
https://trendminer.com/policies/privacypolicy.html allows only the defined page.
https://trendminer.com/policies/privacypoli*.html is not allowed because wildcards cannot be used in specific page definitions.
Query parameters
When you whitelist a domain or path, URLs with query parameters are also supported.
For example, if https://example.com/videos is allowed, then https://example.com/videos?id=123 will also be allowed.
This means you do not need to whitelist every possible variation of query parameters individually.
Warning
To improve security and prevent misuse of external content configurations, additional validation rules have been introduced for allowed domains in External Content. These changes address potential vulnerabilities identified during a security penetration test and ensure that only properly defined, secure URLs can be used for embedding external content in DashHub.
If any existing domain entries do not comply with the new validation rules, a warning banner appears at the top of the External Content configuration page.
This banner indicates that one or more of the configured domains include patterns or formats that are no longer permitted. These entries remain visible in the list but are considered invalid until corrected.
How to fix invalid entries
Review each invalid domain entry External content.
Open the entry and update the domain or path so that it complies with the current validation rules
Save the corrected entry. Once all invalid domains have been fixed or removed, the warning banner disappears automatically.
Why this change was made
This functionality was introduced as a security enhancement following a penetration test. The previous domain validation allowed wildcard and pattern combinations that could be subverted to embed content from unintended or unsafe domains.
By enforcing stricter validation and introducing clear error feedback, DashHub now ensures that only trusted and explicitly defined sources can be used for external content.
Dashboard edit mode
When editing a dashboard, the External URL field in the external content tile checks that the entered URL follows the required validation rules. If the URL is invalid, an error message appears, and the tile cannot be saved until it is corrected.