Suitelets and UI Object Best Practices

General

• Suitelets are ideal for generating NetSuite pages (forms, lists), returning data (XML, text), and redirecting requests.

• Limit the number of UI objects on a page (< 100 rows for sublists, < 100 options for on demand select fields, < 200 rows for lists).

HTML

• Experiment with inline HTML fields embedded on the form before going the full custom HTML page route.

iFrames

• Append “ifrmcntnr=T” to the external URL when embedding in iFrame especially if you are using Firefox. (For more about NetSuite and iFrame, see Embedding an Online Form in your Website Page.)

User credentials

• When building custom UI outside of the standard NetSuite UI (such as building a custom mobile page using Suitelet), use the N/auth Module and N/crypto Module to help users manage their credentials within the custom UI.

Calling a Suitelet and redirection

• When calling a Suitelet using its external URL, properly escape the parameter values to avoid cross-site scripting injections, for example, by converting the appropriate characters to HTML entities.

• For access or redirection from another script to a Suitelet, the best practice is to use url.resolveDomain(options) to discover the URL instead of hard-coding the URL.

Advanced Employee Permissions

• When the Advanced Employee Permissions feature is enabled keep the following in mind:

  • To avoid inadvertently exposing employee data, use caution when running Suitelets or Restlets as an administrator. A user with a role that has limited access to the employee record can access a Suitelet or Restlet that runs as an administrator. Depending on how the Suitelet or Restlet is written, the user may have access to employee information that they would otherwise not see.

  • Use caution when setting up Suitelets and Restlets to give access to users without having to log in since it could potentially expose employee information in uncontrolled ways.

Deployment

• Deploy Suitelets as “Available without Login” only if necessary (no user context, login performance overhead). (See Setting Available Without Login.)