Securing Documents and HTML Pages Against Cross Scripting Attacks

Software AG Products 10.7 | Integrating On-Premises and Cloud Applications | DSPs and building output templates | Using Output Templates to Format Service Output | Securing Pages and Documents Created from Output Templates | Securing Documents and HTML Pages Against Cross Scripting Attacks

If you use the %value Variable% tag in output templates, the output from the tag in the resulting documents or HTML pages created from the output templates might be vulnerable to cross site scripting (XSS) attacks. To prevent these cross site scripting attacks, set the watt.core.template.enableFilterHtml parameter to true (the default). When this parameter is true, the output from a %value Variable% tag, including XML and JavaScript, is HTML encoded.

When the watt.core.template.enableFilterHtml parameter is set to true, if you do not want Integration Server to HTML encode the output from a %value Variable% tag, you can use the encode(none) option of the %value Variable% tag, (%value Variable encode(none)%).

If you do not want Integration Server to HTML encode the output from any %value Variable% tag in all documents and/or HTML pages resulting from output templates, set the watt.core.template.enableFilterHtml parameter to false. Setting the watt.core.template.enableFilterHtml parameter to false does not override settings of the %value Variable% tag’s encode option.

Important:
If you use encode(none) so that the output from a %value Variable% tag is not HTML encoded, that value is vulnerable to cross site scripting attacks. If you set the watt.core.template.enableFilterHtml parameter to false, all documents and pages resulting from output templates that use the %value Variable% tag are vulnerable to cross site scripting attacks.

For more information about the encode(none) option, see %value%. For more information about the watt.core.template.enableFilterHtml parameter, see webMethods Integration Server Administrator’s Guide.