The screen below shows the administration screen

Administration -> System -> System Behaviour

You will see these two fields.

  • Use Global XSS Filter
  • HTML elements blocked by filter

The global XSS filter performs a set of operations to detect cross-site scripting (XSS) in all screens in Sage CRM. This is to protect against XSS attacks as data is submitted.

The filter looks for commonly used techniques to trigger JavaScript or other types of code that may attempt to do malicious acts. Part of the work that the filter does is to removes values that might represent HTML tags that can be used to deliver XSS, or to carry out similar attacks (such as adding buttons onto screens or loading in external content).

HTML Tag filtering isn’t the only thing that the XSS filter does. But the list of tags that will raise a flag are the ones defined in the filtered tags list.

If anything disallowed is encountered it is rendered safe by returning only content that passes the filter.