SR-A19297 · Issue 237347
Added ability to set custom HTTP security headers
Resolved in Pega Version 7.2.1
XSS protections were interfering with the ability to set custom HTTP headers. To enable this, the system will use dynamic system settings from http/responseHeaders and add them to every HTTP response.
SR-A21997 · Issue 246052
Double quotes encryption handling now configurable
Resolved in Pega Version 7.2.1
When a property type of TextEncrypted was used, the apostrophe in a string was being changed to "'" due to XSS security filters. A parameter to ShowTextEncryptedPropertyValue control to support escaping double quotes has been added and is configurable based on need.
SR-126852 · Issue 196797
Handling added for click parameters containing HTML to open rule with magnifying icon
Resolved in Pega Version 7.1.8
If a parameter contained HTML characters, it was not possible to open any rule using the magnifying glass icon from next to a field. This behavior was related to XSS security catching the HTML, and has been resolved by sending the requested parameter in post body.
SR-123686 · Issue 184976
Properly resolved HTML tags in ListView
Resolved in Pega Version 7.1.8
If any HTML tags such as were used inside the Full Description of ListView, the tags are were not being resolved and were instead displayed as-is. This was caused by how the XSS filter affected the way the tags were reference when returned to the browser, and has been fixed.
INC-155954 · Issue 622606
HTTP Strict Transport Security update
Resolved in Pega Version 8.6
An update has been made to add HTTP Strict Transport Security (HSTS) headers to the DSS http/responseHeaders by enabling X-Content-Type-Options Header and X-XSS-Protection Header. In addition, the max age of the HSTS header parameter has been increased from 7 days to 1 year.
SR-D22548 · Issue 502077
Handling added for special characters in Report Category name
Resolved in Pega Version 8.4
When a Report Category was created with a special character such as ' ( , ) (ex "ABC's Reports"), the special character was not correctly shown at the Category Selection in Report Widget of the Dashboard Configuration. This was traced to the category names being sanitized against XSS attacks twice, once by the dropdown itself, and once by the activity pzRBCategoriesPostProcess, which is shared between this dropdown and the report browser. To resolve this, the system will make a simplified copy of pzRBCategoriesPostProcess for the report widget's use case and continue to use that as the post processing activity for D_pzReportWidgetCategories.