SR-A2361 · Issue 214536
XSS fix updated for IAC with CSRF tokens
Resolved in Pega Version 7.2
After updating to address a potential XSS security issue, some problems were found with using IAC with CSRF tokens in the pathinfo. Additional checks have been added to handle this scenario.
SR-B30747 · Issue 297009
XSS filtering added to report browser CategoryDescription
Resolved in Pega Version 7.3
The list of categories on the right in the report browser allowed some HTML tags to be applied when added to the label. XSS filters have been applied to the CategoryDescription labels to improve security.
SR-D28060 · Issue 505638
XSS protection added to Pega App Studio Spaces
Resolved in Pega Version 8.4
Ajax Request's callback success method has a mechanism to process the response object's HTML responseText, initiate and modify the changeTracker changes, and eventually call renderUI to render the DOM. However, the response object sometimes may return a different type (JSON) that may expose XSS vulnerabilities. To improve security for the Pega App Studio, the system will process the Ajax request's response text only if the response date type is not JSON by accepting a flag in the callback object passed by the caller.
SR-D8319 · Issue 445546
Case name caption security inserted with XSS filtering
Resolved in Pega Version 8.2.2
In order to protect against the possibility of executing malicious JavaScript code by entering an appropriately modified name while adding new case type, pyCaption in menu items has been made HTMLSafe by converting JSON through the GSON library. An additional fix has been made to use XSS filtering to ensure the script does not execute while page is loaded. Additional handling for Firefox has also been added to normalize tabName to properly display Recents.
SR-117266 · Issue 173481
Prompt Select modified to properly handle XSS functions
Resolved in Pega Version 7.1.7
A selection made in Prompt Select was not retained after refresh when special characters were present in the selected value. This was caused by XSS filtering functions that compared an encrypted value with the prompt value and negated it when it wasn't equal. To fix this, PromptSelect has been modified to call the crossScriptingFilter API before appending strDefaultValue to the stream.
SR-A99782 · Issue 266250
XSS vulnerability closed in Warning Justification Text field
Resolved in Pega Version 7.2.2
A potential XSS vulnerability has been addressed in the Warning Justification Text field.
SR-A100443 · Issue 266643
XSS filter added for Profile Full Name field
Resolved in Pega Version 7.2.2
An XSS filter was missing in the control PZWARNINGJUSTIFIEDOPERATORNAME. This has been fixed.
SR-B33827 · Issue 292793
XSS filter added to pxTextAbridge to correct stray characters
Resolved in Pega Version 7.3
pxTextAbridge was not working properly. If the "> characters were used, e.g., Sample Text "> Test, this will be displayed as " Test">Sample Text "> Test". This was caused by text that was passed to pxTextAbridge control's property getting incorrectly to the title attribute, and has been resolved with the addition of a cross scripting filter for title and property value.
SR-B37957 · Issue 303574
XSS security added for date property error message
Resolved in Pega Version 7.3
A cross site scripting filter has been added for pyErrorMessage in order to improve security.
SR-B37957 · Issue 278510
XSS security added for date property error message
Resolved in Pega Version 7.3
A cross site scripting filter has been added for pyErrorMessage in order to improve security.