Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

PublicAPI methods for XSS filtering

Updated on June 30, 2021

Output filtering involves replacing sensitive characters in the source HTML code such as angle brackets (< and >), single and double quotation marks, ampersands, and others by the equivalent HTML character entities, such as < for < or ' for ' an apostrophe. If the source text is legitimate, output filtering does not prevent correct HTML rendering by the browser.

Use these two Java methods to provide output filtering:

  • StringUtils.crossScriptingFilter(aValue) – Filters the contents of aValue and returns a filtered (encoded) version. Available in PRPC 5.3 SP1 and later versions.
  • StringUtils.reversibleCrossScriptingFilter(aValue) – Filters the contents of aValue and reverse-filters the value in the server if the same value is resubmitted in subsequent requests. This method ensures that the friendly user’s intent is preserved.

Use reversibleCrossScripting() when the internal clipboard value is not to be modified, but the value sent to the browser is to be filtered. For example, if an application user needs to search a customer master file for a customer named Molly O'Brian, the SQL statement (on the server) needs to process using the apostrophe (single quotation mark) character ('), but the browser display uses the HTML entity ' or an equivalent. In this case, a separate escape mechanism for SQL also applies, converting the name O'Brian to O\'Brian.

The following examples are portions of manually created stream rules that are modified to filter a value using these two PublicAPI functions in an inline Java scriptlet.

Example 1

Incorrect

 <%tools.appendString(tools.getActiveValue()); %>

Correct

 <%tools.appendString(StringUtils.crossScriptingFilter(tools.getActiveValue()));%>

or

<%tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getActiveValue()));%>

Example 2

Incorrect

<%tools.appendString(tools.getSaveValue("savename”)); %>

Correct

<pega:reference name=$save(savename) />

or

<%tools.appendString(StringUtils.crossScriptingFilter(tools.getSaveValue("savename”))); %>

or

<%tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getSaveValue("savename”))); %>

Example 3

Incorrect

 <%tools.appendString(tools.getParamValue("paramname")); %>

Correct

<pega:reference name=param.paramname/>

or

<%tools.appendString(StringUtils.crossScriptingFilter(tools.getParamValue("paramname"))); %>

or

<% tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getParamValue("paramname"))); %>

Tags

Pega Platform 8.6 Security

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Support Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us