Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Filtering HTML and XML outputs

Updated on June 30, 2021

Not all invalid data can be detected and 100% excluded during input processing. Some input fields legitimately and necessarily contain quotation mark characters, angle bracket characters, and other sensitive characters. For example, a user-entered text area on a form might contain a snippet of JavaScript or Java code that was entered to describe a software issue.

If invalid data, such as malicious JavaScript source code, somehow reaches a Pega Platform clipboard, applications that are built following the guardrails reduce the risk that the JavaScript code is ever sent to a browser in a form that can be executed.

Output from auto generated harness, section, and flow action rules is automatically output-filtered. Application developers do not need a special approach for such rules. (This is applicable to Pega Platform 5.3 SP1 or later versions.)

In any non-auto generated (manually created) stream rules (correspondence, paragraph rules, XML, HTML, flow actions, harness, or sections), use only Pega Platform JSP tags to ensure that output filtering occurs. Note these specific cases:

  • Even when you manually create only a portion of a full HTML or XML document, make the HTML code that your rules produce well-formed in terms of matching begin-end tags, matched quotation marks, use of only legitimate HTML tags, and correct nesting of tags. Various browser versions render malformed HTML in unpredictable ways, and some browsers become vulnerable to bugs and quirks after rendering malformed HTML code.
  • For the <pega:reference> or <p:r> tag, omit the mode attribute to provide complete XSS filtering. This is the default when your tag omits the mode attribute. Avoid mode=literal, which disables XSS filtering. Use mode=javascript when truly necessary, but with extreme care.
  • For the <pega:lookup> tag in PRPC 5.5 applications, avoid mode=literal. In versions prior to PRPC 5.5, the mode attribute is not available, and all uses of the <pega:lookup> tag provide XSS filtering.
  • Filter any potential-risk text value for XSS vulnerability using a Java scriptlet that calls one of two PublicAPI methods.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us