SR-B95798 · Issue 344526
XSS filtering added to GetTour
Resolved in Pega Version 7.4
Cross scripting filtering has been added to pxGetTour java step 7, which prepares JSON.
SR-C1107 · Issue 351146
Oauth tokens obtained on login timeout
Resolved in Pega Version 7.4
When the client idle time expires, the user must perform a login in order to get back into the application. If OAuth is being used for authentication there is no need to re-send the credentials to NetIQ if neither the refresh token nor access token are expired yet, but the hybrid client was repeating the ROPC flow and obtaining a new refresh token each time the user logged in after the client idle timeout expires. With this change, the tokens are obtained on login timeout. There will be a further update targeted for the next release to show the lock screen and not log the user out.
SR-C1107 · Issue 351606
Oauth tokens obtained on login timeout
Resolved in Pega Version 7.4
When the client idle time expires, the user must perform a login in order to get back into the application. If OAuth is being used for authentication there is no need to re-send the credentials to NetIQ if neither the refresh token nor access token are expired yet, but the hybrid client was repeating the ROPC flow and obtaining a new refresh token each time the user logged in after the client idle timeout expires. With this change, the tokens are obtained on login timeout. There will be a further update targeted for the next release to show the lock screen and not log the user out.
SR-C147 · Issue 343884
Security improvements for generateCellContent RUF
Resolved in Pega Version 7.4
Code changes have been made to improve security for getting the parameter value in the generateCellContent RUF.
SR-C1787 · Issue 346038
XSS filtering added for insHandle
Resolved in Pega Version 7.4
XSS filtering has been added for the inshandle parameter in the downloadFile activity.
SR-C1787 · Issue 320158
Exception message will not include invalid filename
Resolved in Pega Version 7.4
To enhance security, the exception message In the activity Rule-File-Binary.downloadFile will not display the invalid filename.
SR-D28060 · Issue 505637
Cross-site scripting protection added to Pega App Studio Spaces
Resolved in Pega Version 8.2.4
Ajax Request's callback success method has a mechanism to process the response object's HTML responseText, initiate and modify the changeTracker changes, and eventually call renderUI to render the DOM. However, the response object sometimes may return a different type (JSON) that may expose cross-site scripting vulnerabilities. To improve security for the Pega App Studio, the system will process the Ajax request's response text only if the response date type is not JSON by accepting a flag in the callback object passed by the caller.
SR-D26244 · Issue 504223
Label control cross-site scripting protection added
Resolved in Pega Version 8.2.4
cross-site scripting protection has been added to label control.
SR-D30215 · Issue 503682
cross-site scripting protection added to ClientDynamicData
Resolved in Pega Version 8.2.4
Cross-site scripting protection has been added to the "DesignViewIframe" & "pzHarnessID" parameters in the pzClientDynamicData HTML rule.
SR-D25972 · Issue 501482
Handling added for custom error message in post-authentication activity
Resolved in Pega Version 8.2.4
The error message in post authentication activity was always appearing as 'Login terminated because a post-authentication activity or policy failed' irrespective of the actual message being conditionally set in the activity based on post authentication logic. Investigation showed that the parameter page in the SSO post-authentication activity was not being passed to the 'pzShowAuthPolicyError' activity due to the post-authentication activity executing in authenticated context whereas the HTML fragment executed in the un-authenticated context. In order to support this use, post-authentication activity will set the error message on a predefined property and propagate that to the HTML fragment by appending the error message as a query parameter in the redirect exception URL post-authentication failure.