SR-D69935 · Issue 534021
Filtered By Label read by JAWS in report browser
Resolved in Pega Version 8.3.2
When using Firefox, any FilteredBy text in the Report Browser was not being read by JAWS. This was traced to Firefox interpreting the filters in the Report Viewer as not having any distinguishing accessibility label, and has been resolved by adding aria roles to the filters in the Report Viewer.
SR-D71408 · Issue 534931
DIrty check flag triggered by adding columns and filters
Resolved in Pega Version 8.3.2
If a report was edited and closed without saving, the dirty check worked as expected. However, if new columns or filters were added and the report closed without saving, the dirty check did not appear. This has been resolved by updating the check logic.
SR-D73777 · Issue 539968
Logic added for client-side Somaria decoding
Resolved in Pega Version 8.3.2
When Somaria (an Advanced Data Visualization control) was used with Predictor Performance, the special characters were displayed as ASCII values instead of the actual values in the label. This was traced to Somaria encoding special characters of the visualization data into HTML entities on the server in order to protect against cross-site scripting attacks, but these entities were not being decoded on the client side. To resolve this, logic has been added to decode HTML entities in Somaria data on the client.
SR-D75097 · Issue 542359
DSS added to allow disabling Excel cell export security
Resolved in Pega Version 8.3.2
In order to avoid calculation injection during Export to Excel, an apostrophe character was added to the cell on export to close a vulnerability. However, sites using an external tool to consume the Excel document needed a workaround for this security feature. The resolution for this issue adds a DSS setting "TurnOffSecurityForExportToExcel" which can now be used to turn on/off the security feature that adds char " ' " in front of the cell value. Further refinements to this work will be included in a future release.
SR-D75757 · Issue 540638
ReportBrowser script updated to ensure older version refreshes on creation
Resolved in Pega Version 8.3.2
When using the old version of the Report Browser, the count at the report category did not update after being saved into a category until logout and login back to the portal. This was a missed use case for the old browser during updates to the UIKit and has been resolved by including the reportbrowser script in the header section pyCMReportBrowserHeader to ensure a refresh.
SR-D31734 · Issue 515655
Cross-site scripting protection added for parameter page properties
Resolved in Pega Version 8.3.2
An cross-site scripting vulnerability was seen with the Edge browser when run on visibility on client check was enabled with dynamic layouts and some properties were accessed from parameter page. Because run on visibility on client check is not required in this scenario, is has been removed and the values will be accessed from the server instead.
SR-D33214 · Issue 514022
Added safeURL encoding for Japanese characters in attached filenames
Resolved in Pega Version 8.3.2
It was not possible to preview a Japanese-titled PDF file attached on a work object. Investigation showed that in case of Japanese characters, file names were not being correctly encoded during the fetch request when JBoss was used. The retrieval worked correctly under Tomcat. In order to ensure consistent encoding, the safeURL API will be used for constructing the URL and for the activities DisplayAttachFile and pzDownloadFromRepository which add the ContentDisposition header.
SR-D67321 · Issue 532627
ShowXML activity deprecated
Resolved in Pega Version 8.3.2
The activity @baseclass.ShowXML has been blocked for security reasons. If the functionality is needed, a a single line step of "Show-Applet-Data" may be used.
SR-C93602 · Issue 485517
White list filter added for X-Forward-Host value security
Resolved in Pega Version 8.3.2
In order to improve security, a validation for X-Forward-Host value has been added which will be read from a local configuration. This is in the form of a white list regex filter for the host/XFHost header to ensure the URL's actions cannot be redirected.
SR-D37894 · Issue 505974
Query parameters will be cleared after redirection from authentication
Resolved in Pega Version 8.3.2
When using the /PRAuth Servlet, running a snapstart URL generated from a secondary application correctly executed SAML Authentication and Pega processing, but a second URL generated with different parameters ran with the parameters from the first request. The third and subsequent requests processed as expected with the parameters sent in with the request. Investigation showed that the previous parameters were picked due to the query string parameters not being cleared after redirection, and this issue has been resolved by updating the system so it will clear the parameters after issuing a redirect from the authentication policy engine.