SR-D21803 · Issue 502130
Cross-site scripting protection added for embedded portal URI
Resolved in Pega Version 8.2.4
The URI used in the top window of embedded portals has been encoded to prevent DOM based cross-site scripting.
SR-D29485 · Issue 503511
Enhancement added to modify URL encryption for load testing
Resolved in Pega Version 8.2.4
An enhancement has been added which allows conditionally modifying URL encryption for load testing. This uses the flag crypto/useportablecipherforurlencryption: if true, a portable hardcoded key is used to encrypt the URLs and if false, a dynamically generated key per thread/requestor is used to encrypt the URL.
SR-D38581 · Issue 504775
Removed unnecessary cross-site scripting filtering on paragraph rule
Resolved in Pega Version 8.2.4
When a link was set in a paragraph rule, the target option was removed in the returned layout structure. This was traced to unnecessary XSS filtering which has now been removed.
SR-C98068 · Issue 483991
Installer files updated with class loader conflict resolution assistance
Resolved in Pega Version 8.2.4
When sending emails with attachments, errors were observed relating to a loader constraint violation indicating that when resolving interface method, the class loader of the current class and the class loader for the method's defining class had different Class objects for the type used in the signature. The resolution for this requires user configuration of the app server, and the following files for the install guide have been updated with the appropriate information:Deployment-guides-dita/install.ditamap Deployment-guides-dita/Content/Topics/app-server-config/creating-jdbc-driver-module-jboss-tsk.dita Deployment-guides-dita/Content/Topics/app-server-config/delegating-javax-activation-to-JRE-loader-tsk.dita
SR-D28460 · Issue 509365
Added timeout handling for non-PRAuth servlets
Resolved in Pega Version 8.2.4
After logging in via external authentication service (SAML Single Sign On) and setting up a timeout in the access group RuleForm, when the user performed any action and the server identified the request to be timed-out, it was expected that a SAML request would be sent from the browser to the external Authentication Server (referred as IDP) and the flow would proceed from there. This worked as expected for a non-AJAX request. To resolve this, handling has been added for timeout when using non-PRAuth authentication services.
SR-D29127 · Issue 506863
SAML data pages restored after passivation
Resolved in Pega Version 8.2.4
If login used SAML SSO, resuming the session after passivation resulted in missing or empty data pages when using an SAP integration with Pega Cloud. This was traced to a security change that modified the D_SAMLAssertionDataPage and D_SamlSsoLoginInfo data pages as readonly, causing them to not be passivated under these conditions. To resolve this, the data pages have been made editable so they will be restored as expected. This change also resolves any difficulty with SAML logoff activities in conjunction with SAP and Pega Cloud.
SR-D37872 · Issue 507341
prproductmigration build.gradle updated for new mime4j asset name
Resolved in Pega Version 8.2.4
While running the getMigrationLog for ProductMigration script provided in the Pega 8.2.2 media files, errors appeared referencing "NoClassDefFoundErrors when running getLogs". This was caused by the referenced class not being found on the classpath: the version of the included jar did not include the class needed due to Praxiom's default version being updated to use a new version of mime4j that required an asset name change. To resolve this, the mime4j asset name in prproductmigration build.gradle has been updated to pick up the correct version of the dependency for Praxiom.
SR-D36091 · Issue 505613
Harness context will be stored to handle on click executed outside of the Ajax Container
Resolved in Pega Version 8.2.4
An exception was generated in the interaction portal on execution of a post-value action for the on-change event on a text-box in the service case: "Failed to find instance Work-Interaction-Research.EmailBodyRTE of type Rule-HTML-Section". This was traced to a condition where clicking outside of the Ajax Container context to trigger the change caused the Events code to execute the event in the active context when the active context had already been changed by clicking outside of the AC. To avoid this, the system will store the harness context in the event object using pega.ctxmgr.getContextByTarget(target) API.
SR-D23174 · Issue 499568
Check logic added for change in datetime
Resolved in Pega Version 8.2.4
After selecting a valid date in the calendar UI, clicking outside of the DateTime control caused the date to disappear when using the Microsoft Internet Explorer browser. Investigation showed that the order of events execution is different in Microsoft Internet Explorer and Google Chrome, so that by the time the getReadOnlyFormatting method was called, the data-changed attribute had already been updated to 'false'. This caused the read-only formatting to not be applied so the data-display-value was considered to be empty. To resolve this, a check has been added to better detect the change so that read-only formatting gets applied.
SR-D36970 · Issue 504985
Calendar icon updated to properly display the set number of years
Resolved in Pega Version 8.2.4
By default, the Calendar icon showed a date range of 10 years when -/+100 was expected. This issue was traced to the existing DSS setting (pyNumberofYears under Pega-UIEngine), which enables overriding the date year range, not being honored when the pyNoOfYears property was set to -1. To honor the pyNumberofYears setting, pyNoOfYears should be 21. This has been corrected so the value will be set properly.