Customization > Windchill+ Guidelines and Guardrails > Security Customization Guidelines > Windchill Security Coding Guidelines > Output Encoding
Output Encoding
Current Windchill+ customizations do not allow user interface changes. Output should be implemented only through standard provided mechanisms and existing UI pages.
The only allowed changes to UI are branding, icons and layouts. Additional output fields that require output encoding are not allowed.
The following general guidance is provided for reference:
Because data can be output to different formats (HTML, JavaScript, XML, and so on), it should never be stored encoded in the database. Untrusted data should only be encoded when rendered to output.
Untrusted data cannot be used in the following locations:
Directly in a script
<script>…NEVER PUT UNTRUSTED DATA HERE…</script>
Inside an HTML comment
<!--…NEVER PUT UNTRUSTED DATA HERE...-->
In an attribute name
<div …NEVER PUT UNTRUSTED DATA HERE...="test" />
In a tag name
<…NEVER PUT UNTRUSTED DATA HERE... href="test" />
Was this helpful?