Suitelets and UI Object Best Practices

General

• Suitelets are ideal for generating NetSuite pages (forms, lists), returning data (XML, text), and redirecting requests.

• Limit the number of UI objects on a page: less than 100 rows for sublists, less than 100 options for on demand select fields, and less than 200 rows for lists.

HTML

• Try using inline HTML fields embedded on the form before implementing a full custom HTML page route.

• Use Subresource Integrity when you include content from external sources in Inline HTML fields. For more information, see Subresource Integrity.

iFrames

• Append “ifrmcntnr=T” to the external URL when embedding in iFrame especially if you are using the Firefox browser. (For more about NetSuite and iFrame, see Embedding an Online Form in your Website Page.)

User credentials

• When building a custom UI outside of the standard NetSuite UI (such as building a custom mobile page using Suitelet), use the N/auth Module and N/crypto Module to help users manage their credentials within the custom UI.

Calling a Suitelet and redirection

• When calling a Suitelet using its external URL, escape the parameter values to avoid cross-site scripting injections, for example, by converting the appropriate characters to HTML entities.

• For access or redirect to a Suitelet from another script, use url.resolveDomain(options) to discover the URL instead of hard-coding the URL.

Advanced Employee Permissions

• When the Advanced Employee Permissions feature is enabled, keep the following in mind:

  • To avoid inadvertently exposing employee data, use caution when running Suitelets or Restlets as an administrator. A user with a role that has limited access to the employee record can access a Suitelet or Restlet that runs as an administrator. Depending on how the Suitelet or Restlet is written, the user may have access to employee information that they would otherwise not see.

  • Use caution when setting up Suitelets and Restlets to give access to users without having to log in since it could potentially expose employee information in uncontrolled ways.

Deployment

• Deploy Suitelets as “Available without Login” only if necessary (no user context, login performance overhead). (See Setting Available Without Login.)