INC-166995 · Issue 642440
DeleteDocumentPg added to allow list
Resolved in Pega Version 8.7
During performance testing with CSRF settings enabled, a '403 Forbidden' error was seen in the network trace when FinishAssignment called pyActivity=pyDeleteDocument on close action. This has been resolved by adding pyDeleteDocumentPg to the list of allowed activities.
SR-D23239 · Issue 499595
Support added for multi-operator SAML logins
Resolved in Pega Version 8.3.1
When a SAML user is logged in by Single Sign-On (SAML), the system processes the login to portal as a different operator if there was a function on the Attribute field under Operator identification in the SAML authentication service. In this scenario, using an expression for operator provisioning did not work because all SAML login sessions resolved to the same first operator due to parseAndEvaluateExpression() in ExpressionHelper.java ignoring new expression arguments if the expression page already existed. To support the use of multiple operator logins in this format, the system has been updated to clone a new expression page for every session and update it with the correct expression arguments.
SR-D47611 · Issue 513113
HTTPS login path issue resolved
Resolved in Pega Version 8.3.1
When using iOS, entering wrong credentials for a login with an https endpoint converted the URL to http. This was traced to a case where the resourcePath was coming as http in SSL enabled system, but the reqURI was still https. To correct this, the system has been updated so that if the reqContextURI starts with https and the requestURL starts with http, then the requestURL will be converted to https.
SR-D31734 · Issue 515655
Cross-site scripting protection added for parameter page properties
Resolved in Pega Version 8.3.2
An cross-site scripting vulnerability was seen with the Edge browser when run on visibility on client check was enabled with dynamic layouts and some properties were accessed from parameter page. Because run on visibility on client check is not required in this scenario, is has been removed and the values will be accessed from the server instead.
SR-D33214 · Issue 514022
Added safeURL encoding for Japanese characters in attached filenames
Resolved in Pega Version 8.3.2
It was not possible to preview a Japanese-titled PDF file attached on a work object. Investigation showed that in case of Japanese characters, file names were not being correctly encoded during the fetch request when JBoss was used. The retrieval worked correctly under Tomcat. In order to ensure consistent encoding, the safeURL API will be used for constructing the URL and for the activities DisplayAttachFile and pzDownloadFromRepository which add the ContentDisposition header.
SR-D67321 · Issue 532627
ShowXML activity deprecated
Resolved in Pega Version 8.3.2
The activity @baseclass.ShowXML has been blocked for security reasons. If the functionality is needed, a a single line step of "Show-Applet-Data" may be used.
INC-127667 · Issue 581851
Documentation updated to clarify displaying property values for Declare Expressions
Resolved in Pega Version 8.7
The documentation regarding Declare Expressions rules has been updated to clarify that declare expressions do not support displaying values of target properties in the user interface if the target property is an embedded property and if the calculation engages forward chaining. Declare expressions always display property values if the calculation uses backward chaining. During forward chaining, the system might render the UI before populating the clipboard, and the properties are not visible in the UI. To show updated values, define refresh conditions in the UI to get new values from the server when the values change.
INC-134737 · Issue 589968
Storage repository documentation updated
Resolved in Pega Version 8.7
The documentation detailing different content storage options has been updated to clarify the restrictions around modifying repositories.
INC-159677 · Issue 625174
Upgrade reversal limitations clarified
Resolved in Pega Version 8.7
The reversal script section on the 8.x upgrade guides has been updated to clarify the limitations in reversing upgrades.
INC-168254 · Issue 659297
Documentation updated for accents and special characters used in search
Resolved in Pega Version 8.7
The "Pega search API" article has been updated to reflect that the search functionality in Pega Platform does not match accented words with unaccented. For example, searching for santé and sante will retrieve different results. In addition, Domain Specific Language (DSL) includes special characters for use when searching, for example '-', '_', '!', '@'. However, the system retrieves various results depending on the way the special characters are used in the search query. If the query contains special characters that are not escaped, the system may retrieve incorrect results. For example, not escaping the slash mark in the 25/02 query may cause the system to ignore the special character.