Suitelets and UI Object Best Practices

The following are best practices for Suitelet development using UI objects and custom UI.

General

Suitelets are ideal for generating NetSuite pages (forms, lists), returning data (XML, text), and redirecting requests.
Limit the number of UI objects on a page (< 100 rows for sublists, < 100 options for on demand select fields, < 200 rows for lists).

HTML

Experiment with inline HTML fields embedded on the form before going the full custom HTML page route.

iFrames

Append “ifrmcntnr=T” to the external URL when embedding in iFrame especially if you are using Firefox. (For more about NetSuite and iFrame, see Embedding an Online Form in your Website Page.)

User credentials

When building custom UI outside of the standard NetSuite UI (such as building a custom mobile page using Suitelet), use the N/auth Module and N/crypto Module to help users manage their credentials within the custom UI.

Calling a Suitelet and redirection

When calling a Suitelet using its external URL, properly escape the parameter values to avoid cross-site scripting injections, for example, by converting the appropriate characters to HTML entities.
For access or redirection from another script to a Suitelet, the best practice is to use url.resolveDomain(options) to discover the URL instead of hard- coding the URL.

Advanced Employee Permissions

When the Advanced Employee Permissions feature is enabled keep the following in mind:
- To avoid inadvertently exposing employee data, use caution when running Suitelets or Restlets as an administrator. A user with a role that has limited access to the employee record can access a Suitelet or Restlet that runs as an administrator. Depending on how the Suitelet or Restlet is written, the user may have access to employee information that they would otherwise not see.
- Use caution when setting up Suitelets and Restlets to give access to users without having to log in since it could potentially expose employee information in uncontrolled ways.

Deployment

Deploy Suitelets as “Available without Login” only if necessary (no user context, login performance overhead). (See Setting Available Without Login.)