Output from auto generated harness, section, and flow action rules is automatically output-filtered. Application developers do not need a special approach for such rules. (This is applicable to Pega Platform 5.3 SP1 or later versions.)
In any non-auto generated (manually created) stream rules (correspondence, paragraph rules, XML, HTML, flow actions, harness, or sections), use only Pega Platform JSP tags to ensure that output filtering occurs. Note these specific cases:
- Even when you manually create only a portion of a full HTML or XML document, make the HTML code that your rules produce well-formed in terms of matching begin-end tags, matched quotation marks, use of only legitimate HTML tags, and correct nesting of tags. Various browser versions render malformed HTML in unpredictable ways, and some browsers become vulnerable to bugs and quirks after rendering malformed HTML code.
- For the
<p:r>tag, omit the mode attribute to provide complete XSS filtering. This is the default when your tag omits the mode attribute. Avoid
mode=literal, which disables XSS filtering. Use
- For the
<pega:lookup>tag in PRPC 5.5 applications, avoid
mode=literal. In versions prior to PRPC 5.5, the mode attribute is not available, and all uses of the
<pega:lookup>tag provide XSS filtering.
- Filter any potential-risk text value for XSS vulnerability using a Java scriptlet that calls one of two PublicAPI methods.