INC-147654 · Issue 642186
Updates to displaying embedded images in cases
Resolved in Pega Version 8.3.6
Sending an email with an embedded image to the email ID associated with the email listener successfully created the interaction case, but the embedded image was not displayed when the case was opened from the work-basket. A rule-not found exception was seen in the tracer for pyGetImageDisplay, the rule responsible for displaying the images in the ET pane. Investigation showed that when URLObfuscation was turned on, the decryption of the URL was not successful because "&" had been encoded to '& amp;'. This has been resolved by calling the activity pyGetImageForDisplay using URLMapping instead. An additional issue was seen with displaying images in the email interaction pane where the additional empty new lines moved the image outside the intended place. This was traced to a customization for the reply area which used the pyHighlightedMessage property and converted newlines to br tags even in HTML mode. To resolve this, pyHighlightedMessage has ben modified to convert newlines to br tags only if the mode is plain text.
INC-152776 · Issue 621243
Check added for HTML and linefeed combined in email
Resolved in Pega Version 8.3.6
In the Interaction right hand pane Email triage widget, additional line breaks were seen when displaying email message data that contained table tags. This was a missed use case for email which contains both HTML and '\n', which resulted in the system replacing '\n' with < / br >. This has been resolved by adding a check whether the content has HTML tags which will avoid the replacement.
INC-165188 · Issue 635774
Third-party links allowed to pass target attribute in anchor
Resolved in Pega Version 8.3.6
Attempting to connect to Docusign, a third party application, via Email in an interaction portal was not working, and the error "account.docusign.com refused to connect" appeared. This was caused by the HTML data being sanitized so the attribute 'target' was not allowed to pass and the application could not open in a new tab. To resolve this, an update has been made that will allow the target attribute for an anchor tag.
INC-155276 · Issue 622816
Null check added for step page
Resolved in Pega Version 8.3.6
After creating and adding new Access Roles and application 'Access When' to the privileges instead of Production level, during run time the error "runtime.IndeterminateConditionalException: Trying to evaluate Rule-Access-When conditions L:IsProdAccess when there is no page to evaluate them against" appeared for the specific privileges. This was traced to a missed use case where the system falls back to the step page if the page for evaluating the 'when' condition is null, which did not account for scenarios where the step page can be null. To resolve this, a null check has been added which will fetch the primary page if the step page for the access 'when' condition is null.
INC-156647 · Issue 626293
Improved disconnected requestor cleanup for FieldService
Resolved in Pega Version 8.3.6
A large number of requestors from FieldService with the status as 'Disconnected' were accumulating and causing performance issues. This was traced to the requestors not getting passivated due to users not logging out and new requestors being created for the same users next time, and was caused by the value of the DSS Initialization/PersistRequestor being set as "OnTimeout". When the DSS prconfig/timeout/browser/default is not configured, the default browser requestor timeout is 60 minutes. In this scenario, requestors were not passivating as the requestor passivation timeout was set to the refresh token lifetime for mobile users, which was very large and overwrote the DSS value. This has been resolved by removing the code which set the passivation timeout to the OAuth2 refresh token lifetime.
SR-D32991 · Issue 504130
Email Discussion Thread retains Formatting
Resolved in Pega Version 8.2.4
CSS styles were not being retained in the discussion thread when replying to InboundCorrespondence cases. This was traced to a missing value in Param.latestReply activity pzCreateExternalPostFromMail, and has been resolved by setting an initial plain text value to the param.latestReply before it is set with the HTML value. This prevents having a blank parameter value if the incoming HTML value is empty.
SR-D28060 · Issue 505637
Cross-site scripting protection added to Pega App Studio Spaces
Resolved in Pega Version 8.2.4
Ajax Request's callback success method has a mechanism to process the response object's HTML responseText, initiate and modify the changeTracker changes, and eventually call renderUI to render the DOM. However, the response object sometimes may return a different type (JSON) that may expose cross-site scripting vulnerabilities. To improve security for the Pega App Studio, the system will process the Ajax request's response text only if the response date type is not JSON by accepting a flag in the callback object passed by the caller.
SR-D26244 · Issue 504223
Label control cross-site scripting protection added
Resolved in Pega Version 8.2.4
cross-site scripting protection has been added to label control.
SR-D30215 · Issue 503682
cross-site scripting protection added to ClientDynamicData
Resolved in Pega Version 8.2.4
Cross-site scripting protection has been added to the "DesignViewIframe" & "pzHarnessID" parameters in the pzClientDynamicData HTML rule.
SR-D25972 · Issue 501482
Handling added for custom error message in post-authentication activity
Resolved in Pega Version 8.2.4
The error message in post authentication activity was always appearing as 'Login terminated because a post-authentication activity or policy failed' irrespective of the actual message being conditionally set in the activity based on post authentication logic. Investigation showed that the parameter page in the SSO post-authentication activity was not being passed to the 'pzShowAuthPolicyError' activity due to the post-authentication activity executing in authenticated context whereas the HTML fragment executed in the un-authenticated context. In order to support this use, post-authentication activity will set the error message on a predefined property and propagate that to the HTML fragment by appending the error message as a query parameter in the redirect exception URL post-authentication failure.