Output Encoding

Oracle Responsys uses output encoding to protect forms against cross-site scripting (XSS).

XSS is a type of web attack in which the attacker sends malicious code, generally in the form of a browser-side script, to a user. The malicious script can access any cookies, session tokens, or other sensitive information that the browser retains. For example, an attacker can send an email containing a link to a Responsys form. When the recipient clicks that link, the URL, including the malicious code, is sent to the Responsys server. If the Responsys server sends a page back to the user, the malicious code will be executed on the user's browser.

For more information about preventing XSS, see the Cross Site Scripting Prevention on Forms User Guide.

Protecting Forms Against XSS

If output encoding is enabled for the account, you can enable it for forms to protect user input fields and customization variables against XSS.

To protect user input fields, you need to enable output encoding for the form. To protect customization variables, you need to use the built-in functions $outputencoding()$ (for HTML) and $outputjsencoding()$ for (JavaScript).

Note that new and existing forms are not protected by default. Forms that you create from an existing one retain the setting of the existing form.

Protecting user input fields

To protect the user input fields on a form, you need to enable output encoding for the form. When the form is protected, all fields on it are also automatically protected.

  1. On the Folders page, click next to the form name and select Output Encoding.
    This option is unavailable if output encoding is disabled for the account. By default, output encoding is enabled for an account. If output encoding is not enabled for the account, please contact Responsys Support.

  2. Select the Enable Output Encoding for this form check box.
    The form and all user input fields are now protected.

  3. Optionally, deselect the check boxes of any fields you do not want to protect.

Note that protecting the form and user input fields does not protect the customization variables on the form. To protect customization variables, use the built-in functions $outputencoding()$ (for HTML) and $outputjsencoding()$ for (JavaScript).

Learn more