Cross-Site Scripting (XSS) is an attack to a website where data that contains scripts is executed and malicous code created by one user may be run by another user.
Servoy will sanitize all data that is shown in the WebClient and the NGClient to prevent this in Servoy solutions.
A solution allows a user to register users and has a form for backoffice handling that lists all users.
When the user registers with a name that contains scripting 'John<script>doSomethingBad()</script>Doe', Servoy will not execute the script but will sanitize the data and just show 'John Doe'.
Trusting data as html
In some situations data used in elements contains html that has to be shown as-is.
Only in cases where the source of the html can be fully trusted, an element can be configured to disable santizing.
This is done via the