Filtering HTML and XML outputs
Not all invalid data can be detected and 100% excluded during input processing. Some input fields legitimately and necessarily contain quotation mark characters, angle bracket characters, and other sensitive characters. For example, a user-entered text area on a form might contain a snippet of JavaScript or Java code that was entered to describe a software issue.
If invalid data, such as malicious JavaScript source code, somehow reaches a Pega Platform clipboard, applications that are built following the guardrails reduce the risk that the JavaScript code is ever sent to a browser in a form that can be executed.
Output from auto generated harness, section, and flow action rules is automatically output-filtered. Application developers do not need a special approach for such rules. (This is applicable to Pega Platform 5.3 SP1 or later versions.)
In any non-auto generated (manually created) stream rules (correspondence, paragraph rules, XML, HTML, flow actions, harness, or sections), use only Pega Platform JSP tags to ensure that output filtering occurs. Note these specific cases:
- Even when you manually create only a portion of a full HTML or XML document, make the HTML code that your rules produce well-formed in terms of matching begin-end tags, matched quotation marks, use of only legitimate HTML tags, and correct nesting of tags. Various browser versions render malformed HTML in unpredictable ways, and some browsers become vulnerable to bugs and quirks after rendering malformed HTML code.
- For the
<pega:reference>
or<p:r>
tag, omit the mode attribute to provide complete XSS filtering. This is the default when your tag omits the mode attribute. Avoidmode=literal
, which disables XSS filtering. Usemode=javascript
when truly necessary, but with extreme care. - For the
<pega:lookup>
tag in PRPC 5.5 applications, avoidmode=literal
. In versions prior to PRPC 5.5, the mode attribute is not available, and all uses of the<pega:lookup>
tag provide XSS filtering. - Filter any potential-risk text value for XSS vulnerability using a Java scriptlet that calls one of two PublicAPI methods.
Previous topic Filtering all inputs Next topic PublicAPI methods for XSS filtering