Oracle^® Business Intelligence Presentation Services Administration Guide > Administering Oracle BI Presentation Services >

Specifying Whether to Allow HTML Input in Oracle BI Presentation Services Fields

The HardenXSS element secures Oracle BI Presentation Services against cross-site scripting (XSS). Securing against XSS prohibits HTML input in fields in Oracle BI Presentation Services that would otherwise accept HTML.

By default, Oracle BI Presentation Services is secured against XSS, which means that users cannot enter HTML; instead they can enter only plain text. If you want to allow users to enter HTML, add the HardenXSS element to the Oracle BI Presentation Services configuration file (instanceconfig.xml) and set it to false.

NOTE:  In a secure environment (that is, by default or when HardenXSS is set to true), only resources (images) that are located in Oracle BI Presentation Services may be used. These images are referenced using a relative path prefixed with "fmap:" (for example, fmap:images/someimage.gif) and cannot be retrieved using a full URL (for example, http://www.somewhere.com/images/someimage.gif).

HardenXSS does not handle views that may contain HTML (Narrative, Ticker, Static Text, and No Results) or the Advanced Tab. Instead, you must deny access to the following privileges for untrusted users:

• View Narrative
• View Ticker
• View Static Text
• View No Results
• Answers: Access Advanced Tab

For more information on permissions, see About Setting Oracle BI Presentation Services Privileges.

The following entry is an example:

<ServerInstance>
   <HardenXSS>false</HardenXSS>
</ServerInstance>

For information about working in the Oracle BI Presentation Services configuration file (instanceconfig.xml), read Making Oracle BI Presentation Services Configuration Changes.