SR-D65513 · Issue 530181
URL encryption modified for ShowAllOperators
Resolved in Pega Version 8.3.2
In the control ShowAllOperators the call to pzEncryptURLActionString was introduced to encrypt URLs to avoid hijacking. The content of the URL relied on the pxRequestor.pxWorkGroup property which was resolved using pega:reference tags. This approach worked in versions below 8.x, but in higher versions the tags were not resolved at runtime and results were not displayed. To resolve this, the requestorWorkGroup will be treated as string and passed as parameter instead of using pega:reference tags.
SR-D67323 · Issue 529946
Cross-site scripting filtering added for CreateMergedWordDoc
Resolved in Pega Version 8.3.2
Cross-site scripting filtering has been added for the TemplateName parameter value in the CreateMergedWordDoc section.
SR-D79113 · Issue 543721
Updated DisplayAttachment to handle SIngleClick download from Case Worker portal
Resolved in Pega Version 8.3.2
On using the script "pega.ui.HarnessActions.doAttachmentSingleClick" in the Worker portal to download attachments displayed within a screen flow, the entire application was hanging and no action was invoked even on clicking the Continue or Finish buttons of the screen flow. Whenever an attachment is downloaded using the script function pega.ui.HarnessActions.doAttachmentSingleClick() , an iframe is used and changetracker is called to communicate data between different iframes. However, the case worker portal is a single thread model while the manager and admin portals are multi threaded, which resulted in changetracker freezing on the worker portal. To resolve this, the DisplayAttachment HTML rule has been updated to build the necessary changeTrackerMap for the worker portal.
SR-D80120 · Issue 544213
Custom attachment category parameter passed to dropdown
Resolved in Pega Version 8.3.2
Attempting to use the out-of-the-box “Attachments control” which was configured at design time to use a custom category where both the custom category and the section class were in the same work class resulted in the attachment category dropdown defaulting to “File” instead of the custom category. Investigation showed that the custom attachment category name configured on the control was missing in one of the pre-processing activities sequence. To resolve this, the activity Work-.pzInitAttachContent and the initAttachmentPage activity have been updated to pass the custom attachment category parameter.
SR-D31734 · Issue 515655
Cross-site scripting protection added for parameter page properties
Resolved in Pega Version 8.3.2
An cross-site scripting vulnerability was seen with the Edge browser when run on visibility on client check was enabled with dynamic layouts and some properties were accessed from parameter page. Because run on visibility on client check is not required in this scenario, is has been removed and the values will be accessed from the server instead.
SR-D33214 · Issue 514022
Added safeURL encoding for Japanese characters in attached filenames
Resolved in Pega Version 8.3.2
It was not possible to preview a Japanese-titled PDF file attached on a work object. Investigation showed that in case of Japanese characters, file names were not being correctly encoded during the fetch request when JBoss was used. The retrieval worked correctly under Tomcat. In order to ensure consistent encoding, the safeURL API will be used for constructing the URL and for the activities DisplayAttachFile and pzDownloadFromRepository which add the ContentDisposition header.
SR-D67321 · Issue 532627
ShowXML activity deprecated
Resolved in Pega Version 8.3.2
The activity @baseclass.ShowXML has been blocked for security reasons. If the functionality is needed, a a single line step of "Show-Applet-Data" may be used.
INC-188469 · Issue 714843
Updated retainLock for DoClose activity
Resolved in Pega Version 8.8
After sending an external email notification from a case, attempting to use the "close" button resulted in an access denied error. This was traced to a missed use case for recent security improvements which resulted in not setting the required parameter retainLock for the DoClose activity, and has been resolved.
INC-192673 · Issue 689552
Tab highlighting updated
Resolved in Pega Version 8.8
Not all elements were indicated with yellow highlighting when tabbing through the screen. This has been resolved.
INC-194180 · Issue 704636
GetChildcases handling updated for large numbers of cases
Resolved in Pega Version 8.8
When a very high number of child cases being processed contained a wait shape that was dependent on the movement of a parent case, some of the cases were moved to the next step of the flow automatically while others required a manual command to ResumeFlow. In extreme cases where many child cases were waiting, a node crash could occur. This was traced to the pzGetChildcases report having a maximum value of 500 lines, and has been resolved by increasing the maximum number of rows to retrieve to 9999 in the Data Access Tab of the pzGetChildCases report definition. In addition, the pxCheckFlowDependencies activity has been modified to perform with a higher number of cases, and DSS(MaxRecords) logic has been added to split the child cases into multiple queue items for each access group to decrease load on each thread process.