PublicAPI methods for XSS filtering
Output filtering involves replacing sensitive
characters in the source HTML code such as angle brackets (< and
>
), single and double quotation marks, ampersands, and others by the
equivalent HTML character entities, such as < for <
or ' for ' an apostrophe. If the source
text is legitimate, output filtering does not prevent correct HTML rendering by the
browser.
Use these two Java methods to provide output filtering:
- StringUtils.crossScriptingFilter(aValue) – Filters the contents of aValue and returns a filtered (encoded) version. Available in PRPC 5.3 SP1 and later versions.
- StringUtils.reversibleCrossScriptingFilter(aValue) – Filters the contents of aValue and reverse-filters the value in the server if the same value is resubmitted in subsequent requests. This method ensures that the friendly user’s intent is preserved.
Use reversibleCrossScripting() when the internal clipboard value is not to be modified, but the value sent to the browser is to be filtered. For example, if an application user needs to search a customer master file for a customer named Molly O'Brian, the SQL statement (on the server) needs to process using the apostrophe (single quotation mark) character ('), but the browser display uses the HTML entity ' or an equivalent. In this case, a separate escape mechanism for SQL also applies, converting the name O'Brian to O\'Brian.
The following examples are portions of manually created stream rules that are modified to filter a value using these two PublicAPI functions in an inline Java scriptlet.
Example 1
Incorrect
<%tools.appendString(tools.getActiveValue()); %>
Correct
<%tools.appendString(StringUtils.crossScriptingFilter(tools.getActiveValue()));%>
or
<%tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getActiveValue()));%>
Example 2
Incorrect
<%tools.appendString(tools.getSaveValue("savename”)); %>
Correct
<pega:reference name=$save(savename) />or
<%tools.appendString(StringUtils.crossScriptingFilter(tools.getSaveValue("savename”))); %>
or
<%tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getSaveValue("savename”))); %>
Example 3
Incorrect
<%tools.appendString(tools.getParamValue("paramname")); %>
Correct
<pega:reference name=param.paramname/>
or
<%tools.appendString(StringUtils.crossScriptingFilter(tools.getParamValue("paramname"))); %>
or
<% tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getParamValue("paramname"))); %>
Previous topic Filtering HTML and XML outputs Next topic Defining cross-origin resource sharing policies