Managing Security and User Access 5-69 – unsafe: Only well-known unsafe script tags are encoded. The list includes: script, applet, object, html, body, head, form, input, select, option, textarea. – exceptsafe: Only well-known safe script tags are not encoded. The list includes: font, span, strong, p, b, i, br, a, img, hr, center, link, blockquote, bq, fn, note, tab, code, credit, del, dfn, em, h1, h2, h3, h4, h5, blink, s, small, sub, sup, tt, u, ins, kbd, q, person, samp, var, ul, li, math, over, left, right, text, above, below, bar, dot, ddot, hat, tilde, vec, sqrt, root, of, array, row, item. – lfexceptsafe: Recommended where extended comments are entered by a user and they want to preserve the line feed breaks of the original text. Similar to exceptsafe, however, line feed ASCII 10 characters are turned into HTML break tags br. Line feeds inside of HTML tags are not turned into break tags. The following script tags that are safe with exceptsafe are not safe with lfexceptsafe: br, p, ul, li. Except for the rule none, all the rules have special HTML comment handling. In particular, all HTML comments are allowed through the filter. However, when inside an HTML comment, all less than and greater than symbols are encoded. This does not apply to the HTML closing signature --. Also, if there is an unterminated comment, the encoding function appends the HTML comment close signature --. Additionally, except for the rule none, any attribute value located inside a tag has any parenthesis encoded to 28 for or 29 for . Otherwise, if any character is escaped it is escaped using the XML xxxx; type encoding. wordbreakrules : This is an optional parameter that specifies if long strings without space characters are to be broken up and what maximum word size to apply. Either the string wordbreak or nowordbreak can be specified. This parameter can be used with any of the encodeHtml rules. The default is to turn on wordbreak if the rule lfexceptsafe is specified, and to use a maxlinelength of 120 characters. The additional parameter maxlinelength=xxx can be used with the wordbreak parameter to specify a desired maximum line length. For example: encodeHtml exceptsafe, bad text, wordbreak, maxlinelength=80 The wordbreak functionality is only usable by the encodeHtml function because the function is used for display and not applied before the data is stored. For information about Idoc Script see the Oracle Fusion Middleware Idoc Script Reference Guide.

5.9.4.2 HtmlDataInputFilterLevel Configuration Variable

The HtmlDataInputFilterLevel configuration variable can be used to apply a level of encoding to filter all input data to the Oracle Content Server system for bad HTML constructions. The HtmlDataInputEncodingRulesForSpecialFields table in the std_ resources.htm file is used for special case encoding rules and may override this configuration entry for certain parameters. Note that if you change the HtmlDataInputFilterLevel value, you must restart the Oracle Content Server instance. Using the HtmlDataInputFilterLevel variable has no effect on the behavior of the Idoc Script encodeHtml function. You can set the HtmlDataInputFilterLevel configuration variable to the following values: 5-70 Oracle Fusion Middleware System Administrators Guide for Oracle Content Server ■ none: Not recommended. All filtering is turned off. ■ unsafe: Default. Recommended. Protects against bad HTML constructions. Examples of bad constructions include: script, applet, object, html, body, head, form, input, select, option, textarea. ■ exceptsafe: Not recommended. Allows only well known safe constructions through the filter. If exceptsafe is chosen, then the unsafe option will be applied to requests using GET style requests. Doing a higher level of encoding on GET requests breaks Oracle Content Server operation because ... and other tags are routinely passed in as part of the parameter data or URLs. The higher level of filtering is only applied to non-scriptable services those services that are usually called with POST. Examples of well known safe constructions include: font, span, strong, p, b, i, br, a, img, hr, center, link, blockquote, bq, fn, note, tab, code, credit, del, dfn, em, h1, h2, h3, h4, h5, blink, s, small, sub, sup, tt, u, ins, kbd, q, person, samp, var, ul, li, math, over, left, right, text, above, below, bar, dot, ddot, hat, tilde, vec, sqrt, root, of, array, row, item. See the encodeHtml Function rule description for information about HTML comment handling, which also applies to HtmlDataInputFilterLevel configuration values. The value lfexceptsafe is not supported for the HtmlDataInputFilterLevel configuration variable. It is only supported with the encodeHtml function. 6 Managing Components 6-1 6 Managing Components This chapter describes how to use the Component Wizard to create new Oracle Content Server components, how to use the Component Manager to administer and enabledisable system and custom Oracle Content Server components, and how to use a command-line tool to install, enable, and disable Oracle Content Server components. ■ Section 6.1, About Components ■ Section 6.2, Using the Component Manager ■ Section 6.3, Using the Component Wizard ■ Section 6.4, Using the Command Line

6.1 About Components

A component is a functional unit that can be plugged into the Oracle Content Server system to provide additional features or to modify existing functionality. The primary use for components is to modify the user interface of existing pages and to alter behavior of existing services. Standard components are provided with the Oracle Content Server system, and additional components can be acquired from the Oracle Technology Network. Administrators and developers can create their own custom components for their sites. Note: For detailed information on the structure and use of components, see the Oracle Fusion Middleware Developers Guide for Oracle Universal Content Management.