Integration Server 10.3 | Dynamic Server Pages and Output Templates Developer's Guide | Using Dynamic Server Pages (DSPs) | Securing DSPs | Securing DSPs Against Cross Site Scripting Attacks
 
Securing DSPs Against Cross Site Scripting Attacks
If you have custom DSPs that use the %value Variable% tag, the output from the tag might be vulnerable to cross site scripting (XSS) attacks. To prevent these cross site scripting attacks, set the watt.core.template.enableFilterHtml parameter to true (the default). When this parameter is true, the output from a %value Variable% tag, including XML and JavaScript, is HTML encoded.
When the watt.core.template.enableFilterHtml parameter is set to true, if you do not want Integration Server to HTML encode the output from a %value Variable% tag, you can use the encode(none) option of the %value Variable% tag, (%value Variable encode(none)%).
If you do not want Integration Server to HTML encode the output from any %value Variable% tag in all DSPs, set the watt.core.template.enableFilterHtml parameter to false. Setting the watt.core.template.enableFilterHtml parameter to false does not override settings of the %value Variable% tag’s encode option.
Important:
If you use encode(none) so that the output from a %value Variable% tag is not HTML encoded, that value is vulnerable to cross site scripting attacks. If you set the watt.core.template.enableFilterHtml parameter to false, all DSPs that use the %value Variable% tag are vulnerable to cross site scripting attacks.
For more information about the encode(none) option, see %value%. For more information about the watt.core.template.enableFilterHtml parameter, see webMethods Integration Server Administrator’s Guide.