Configuring System Settings

Work Center Theme Gallery

Select a default theme for Work Center. To enable users to override this setting in their user profile, leave the Use Selected Theme for all Users check box cleared. Otherwise, select the check box to hide this setting from users.

You can also add, import, and export custom Work Center themes. For details, refer to Configuring Custom Work Center Themes.

Social View Option

Use the check box to enable or disable the Social view for all projects in your system at one time.

For details on the Social view, refer to Social View Settings.

Security Settings

Configure the following security settings for Work Center:

Allow login page to be embedded in another Web site
This option enables you to embed the SBM login page in another Web site's frame and it allows the login page to appear in the SharePoint Web Parts if you are using SBM Connect for SharePoint^®. Select this option if you are using SBM Connect for SharePoint^® or if you want to add the SBM login page to a Web portal.

CAUTION:
This option is selected by default; however, you can clear the check box for tighter security. Doing so prevents attacks that can potentially intercept clicks and send data to the enclosing Web site.
Sanitize HTML Values in Memo Fields, Journal Fields, and Notes
This option "sanitizes" HTML that is stored in the database for Memo fields, Journal fields, and notes that are configured to render HTML tags, which prevents cross-site scripting (XSS) attacks, JavaScript injections, and rendering of poorly-formatted or malicious HTML behavior from occurring. When this setting is enabled, SBM automatically compares the raw HTML in the database to the list of approved tags, attributes, and restricted styles that you configure to ensure the HTML is considered "safe" before it is rendered on the form. Any user-defined HTML formatting is also sanitized, which ensures that the HTML is formatted and displayed in a uniform, consistent manner.

Note: This option does not change any values that are already stored in the database; instead, HTML values in the database are sanitized at runtime before they are rendered on the form. When a user transitions an item with newly-sanitized HTML, the sanitized value is saved in the database when the transition is completed.

A default configuration of approved HTML tags and attributes is provided in case-insensitive JSON format. You can add or remove entries under each JSON field as necessary; however, the following JSON fields are required and cannot be removed:
- allowedTags – List of tags that are allowed
- allowedAttributesGlobal – Attributes that are allowed in all tags
- allowedAttributesByTag – Attributes that are allowed for certain tags
- restrictedStyles – List of styles that are not allowed
- needToValidateStyles – Flag to restrict styles or not
CAUTION:
It is recommended to keep these tags on the allowedTags list: ol, ul, li, div, span, sup, sub, img, b, i, strike, u, and a. Sanitizing these tags can cause text to be hidden in the Rich Text Editor.

The default configuration excludes the following obviously suspicious HTML tags, which means SBM does not render these tags by default:
```
<applet, </applet 
<embed, </embed 
<form, </form 
<frame, </frame 
<iframe, </iframe 
<input, </input 
<script, </script 
<textarea, </textarea
```
If you disable the Sanitize HTML Values option, only the suspicious tags listed above are not rendered. This includes the <a, </a and <img, </img tags unless they are added using the Rich Text Editor. However, these tags will not be rendered if they contain suspicious attributes, such as onload or onclick.

If you have made changes to the configuration and you want to compare them to the default configuration that is provided with SBM, click Reset Configuration, note the changes, and then click Discard.

To view a well-formatted version of the default settings and some configuration examples, refer to solution S141316.

Notifications

Use the Link Type field to set a global, default shell value in notification item links. For example, if you want all users to view items from notifications in the Work Center interface, select SBM Work Center.

Note: You can override this setting by editing a notification and changing the Link Type value there. However, if you have overrides on specific notifications and you set a value (or confirm the same value) in the global Link Type field again, it is applied to all notifications, including those that were overridden. Therefore, use caution when applying the global link type.