SR-D31734 · Issue 515657
XSS protection added for parameter page properties
Resolved in Pega Version 8.4
An XSS vulnerability was seen with the Edge browser when run on visibility on client check was enabled with dynamic layouts and some properties were accessed from parameter page. Because run on visibility on client check is not required in this scenario, is has been removed and the values will be accessed from the server instead.
SR-D21803 · Issue 502131
XSS protection added for embedded portal URI
Resolved in Pega Version 8.4
The URI used in the top window of embedded portals has been encoded to prevent DOM based XSS.
SR-D38581 · Issue 504776
Removed unnecessary XSS filtering on paragraph rule
Resolved in Pega Version 8.4
When a link was set in a paragraph rule, the target option was removed in the returned layout structure. This was traced to unnecessary XSS filtering which has now been removed.
SR-D49527 · Issue 516297
XSS security added to CKEditor in Richtext Editor
Resolved in Pega Version 8.4
A scenario where HTML objects could be copied and pasted into CKEditor and the click action modified to perform different actions was traced to Pega event attributes present in the RTE content. This has been corrected by blacklisting Pega event attributes like data-click, etc.
SR-C96362 · Issue 433333
XSS filter added to API form handling
Resolved in Pega Version 8.1.4
An XSS scripting filter has been added for properties that can be changed via API.
SR-C96362 · Issue 433332
XSS filter added to API form handling
Resolved in Pega Version 8.2.2
An XSS scripting filter has been added for properties that can be changed via API.
SR-A6766 · Issue 215088
Corrected XSS filter handling of properties with parentheses
Resolved in Pega Version 7.2
While localizing any text using field value to a property that contains parentheses, '(' and ')' were being encoded to ( and ) respectively. This was traced to the cross-site scripting filter being applied twice twice in in the RUF pzGenerateLabelInclude, and has been corrected.
SR-A2361 · Issue 212842
XSS fix updated for IAC with CSRF tokens
Resolved in Pega Version 7.2
After updating to address a potential XSS security issue, some problems were found with using IAC with CSRF tokens in the pathinfo. Additional checks have been added to handle this scenario.
SR-A2361 · Issue 210192
XSS fix updated for IAC with CSRF tokens
Resolved in Pega Version 7.2
After updating to address a potential XSS security issue, some problems were found with using IAC with CSRF tokens in the pathinfo. Additional checks have been added to handle this scenario.
SR-A11563 · Issue 224698
XSS security added to data table edits
Resolved in Pega Version 7.2
When editing a data table and saving the record, the request could be intercepted and a vulnerable string added to the pageIndex parameter. XSS security has been added to this function.