Try OpenEdge Now
skip to main content
Server Administrator's Guide
Business Process Server web security : XSS handler implementation : XSS configuration : XSS actions : Action on unaccepted tags
Action on unaccepted tags
This configuration specifies what action to take on the tags that are not accepted in the user data.
Note: All the outputs given under each section are based on the input data. (<b>This is bold text <script>alert("hi")</script></b>) where the script tag is not allowed.
The possible values are:
*FILTE — Removes the tag, but keeps the content.
Output: <b> This is bold text alert("hi") </b>
*REMOVE — Removes tag along with the content in it.
Output: <b> This is bold text </b>
*ENCODE — Encodes the tag, so that the tag with the content is displayed, but not executed when rendered in the browser.
Output: <b>This is bold text &lt;script&gt;alert(&quot;hi&quot;)&lt/script&gt;</b>
*THROW_EXCEPTION — Throws exceptions to the user.
It throws an exception to the user. This is not recommended.
*APPLY_CDATA -> Applies the content with the CDATA tag.
Output: <b> This is bold text <![CDATA[ <script>alert("hi")</script>>]]>
Based on the needs of your application security levels, you can decide what option to use for your application.