INC-162987 · Issue 641749
XSS protections updated for SOAP WSDL
Resolved in Pega Version 8.3.6
XSS protections have been updated for reading WSDL nodes.
SR-C85096 · Issue 423237
XSS check logic updated for pyPosition
Resolved in Pega Version 8.1.4
Additional logic has been added to prevent the injection of javascript into script tags while rendering Smart Tips.
SR-C85096 · Issue 423236
XSS check logic updated for pyPosition
Resolved in Pega Version 8.2.1
Additional logic has been added to prevent the injection of javascript into script tags while rendering Smart Tips.
SR-D28060 · Issue 498750
XSS filtering added to App Studio
Resolved in Pega Version 8.2.3
The pzDisplaySpaceFeedTitle control which is used to display the audit feed in Pega App Studio has been updated with XSS filtering.
SR-D26244 · Issue 501192
Label control XSS protection added
Resolved in Pega Version 8.2.3
XSS protection has been added to label control.
SR-118486 · Issue 175139
XSS filtering improved for Host and Gateway
Resolved in Pega Version 7.1.8
For security, XSS filtering has been improved on hostconfig.jsp and GatewayAdminUtils.java .
SR-118512 · Issue 175817
Improved error handling for iFrame XSS
Resolved in Pega Version Pega Platform, Resolved in Pega Version 7.1.7
When using cross-site scripting with iFrame, attempts to use auto-complete did not populate data and an 'Access Denied' error was raised when keywords were entered for searching. While the system cannot access or modify iFrame content from another domain, the javascript for the autocomplete function has been modified to correctly handle any exceptions thrown while accessing iFrame from a different domain.
SR-A14890 · Issue 230875
Tab title XSS decoding updated
Resolved in Pega Version 7.2.1
Tab titles were not correctly decoding the "(" and ")" characters in the caseID for display due to the XSS handling. This has been updated.
SR-A17065 · Issue 233138
Support added for custom XSS headers
Resolved in Pega Version 7.2.1
After upgrade, problems were found with setting XSS headers. To resolve this, the new Dynamic System Setting "http/responseHeaders" has been added to support custom HttpResponseHeaders.
SR-A93395 · Issue 264801
XSS vulnerability closed in DynamicSelect_variables
Resolved in Pega Version 7.2.2
A potential XSS vulnerability has been addressed in DynamicSelect_variables.