If you have custom DSPs that use the %value Variable% tag, the output from the tag might be vulnerable to cross site scripting (XSS) attacks. To prevent these cross site scripting attacks, set the watt.core.template.enableFilterHtml parameter to true (the default). When this parameter is true, the output from a %value Variable% tag, including XML and JavaScript, is HTML encoded.

When the watt.core.template.enableFilterHtml parameter is set to true, if you do not want Integration Server to HTML encode the output from a %value Variable% tag, you can use the encode(none) option of the %value Variable% tag, (%value Variable encode(none)%).

If you do not want Integration Server to HTML encode the output from any %value Variable% tag in all DSPs, set the watt.core.template.enableFilterHtml parameter to false. Setting the watt.core.template.enableFilterHtml parameter to false does not override settings of the %value Variable% tag’s encode option.

For more information about the encode(none) option, see %value%. For more information about the watt.core.template.enableFilterHtml parameter, see webMethods Integration Server Administrator’s Guide.