Setting Up Your Store > Store Security > 

Using Active Content (X-Cart PRO)

A provider can use active content (that is unfiltered HTML and Javascript in product descriptions and extra field values and validation Javascript in Product Options).

When the 'Allow this provider to use active content on product pages' option on the provider profile page in the admin section is enabled, this provider becomes trusted and can use active content without any validation.

When this option is disabled, the provider is 'untrusted' and the following data from this provider will be filtered to exclude the possibility of an XSS attack:

This information is filtered on the 'modify product' page and during data import by the provider.

When a suspicious description is detected, the data is not stored to the database, and the provider is redirected to the 'modify product' page with a warning. The name of the field which did not pass the validation is specified (just like in case of an attempt to create a product with an empty description).

A validation Javascript field for Product Options is not displayed to untrusted providers.

In case the data have already been entered or modified by the admin, and the option 'Allow this provider to use active content on product pages' is disabled (the provider becomes untrusted), the following fields will be filtered:

Validations Javascript code for Product Options will be ignored.

Important! Enabling/disabling the 'Allow this provider to use active content on product pages' option does not change the data in the products of the providers. Only the provider profile is changed.