Siebel Security Hardening Guide > Securing Siebel Business Applications > About Securing Application Data During Configuration >

About Defending Data from HTML Injection

This topic describes measures you can take to protect Siebel application data from HTML injection attacks.

Displaying HTML Content

Siebel Business Applications allow you to display HTML content in fields in the user interface. When using Control objects that are field values, you can set the value of the HTML Display Mode property to control how the field value is displayed in the user interface. You can specify the following values for the HTML Display Mode property:

• EncodeData. If the field value contains HTML reserved characters, then they are encoded before they are displayed so that the HTML displays as text in the user interface and is not executed as an HTML command. It is recommended that you set the HTML Display Mode property to EncodeData for each Control object to ensure executable statements are not included in Siebel data records.
• DontEncodeData. Use this value only when the value of the field is HTML text and you want the HTML to be executed. Selecting this value is not recommended because the HTML text can be the object of malicious interference.
• FormatData. This value is used when description or comment fields are in read-only layout. Setting FormatData to TRUE causes data to be formatted in HTML. For further information, see Siebel Object Types Reference.

Oracle recommends that you review all Control objects whose HTML Display Mode property is set to either DontEncodeData or FormatData, and consider changing the value of the property to EncodeData. The following SQL commands can be used to return a list of Control objects that have the HTML Display Mode property set to a value of either FormatData or DontEncodeData:

SELECT
HTML_DISPLAY_MODE
FROM
SIEBEL.S_CONTROL
WHERE
HTML_DISPLAY_MODE = 'FormatData' OR
HTML_DISPLAY_MODE = 'DontEncodeData'

Review the list of Control objects returned in the query. You cannot change the value of the HTML Display Mode property to EncodeData for all Control objects in one operation from within the Siebel application. The property must be set for each control individually.

If you choose another method of changing the HTML Display Mode property to EncodeData for all the Control objects returned in the query, then consider the consequences carefully before proceeding. It is recommended that you contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance with this task.

Specifying Trusted Server Names

To strengthen your Siebel application and data against attacks, you can specify the name of each of the host servers that are authorized for use with the Siebel application. The following procedure describes how to specify the names of these trusted servers.

To specify the names of trusted servers

1. Start Siebel Tools.
2. In the Object Explorer, select the Application object type.

   The Applications list appears.

3. Query for the name of your Siebel application in the Object List Editor.

   For example, for the Siebel Call Center application, query for Siebel Universal Agent.

4. Lock the application object.
5. In the Object Explorer, expand the Application object type, then select the Application User Prop object type.

   The Application User Props list appears.

6. In the Object List Editor, add an application user property for each server used by the Siebel application. For example:

   Name: AllowedServerNamesUrl0 value:server_name1

   Name: AllowedServerNamesUrl1 value:server_name2

7. Compile the project associated with the application into an SRF file.