The following guidelines can help you minimize the security vulnerabilities in the custom HTML that you create:

• Use the SafeURL function to generate Pega Platform request URLs in custom JavaScript.

  For more information, see URL JavaServer Page tag.

• Minimize or remove hidden properties (type=hidden), because these properties are common targets for malicious users.
• Remove comments or other sensitive information so that users cannot see them. Use <%... instead of <!... to tag comments so that users do not receive comment text.
• For custom Pega JavaServer Page tags, either omit the mode attribute or set mode=normal.
• Minimize custom buttons because their URL construction can bypass encoding of potentially hazardous characters.
• Minimize the use of mode=literal, because the text that it references does not encode potentially hazardous characters.
• Minimize custom Java steps in activities, especially those that call Parse XML rules, to prevent possible XML injection.
• Replace dynamic SQL statements with prepared statements that have parameterized queries to prevent possible SQL injection.
• When using parameters in a JavaServer Page tag or Pega Platform reference tag, use the StringUtils.crossScriptingFilter method.
• Use strong authentication for Web Mashup users. Do not hardcode credentials in your web mashup gadget.
• Define Web Mashup security by specifying trusted origins that can use and communicate with the Web Mashup gadget. From Dev Studio, in the Record Explorer panel, click Application Definition > Application, open an application, and click the Integration & security tab.
• Consider securing your application by using the Access Group setting Rule security mode that locks down access to specific features in your application.

  For more information, see Access Deny rules.

• Consider implementing the when condition pyAllowDoUIAction to further lock down actions that the DoUIAction activity provides.

  For more information, see Defining conditions for a When rule.