On security test processes, we have faced XSS vulnerability issue. When a payload added to GET request of DeleteAttachment activity, it becomes executable. You can see the screenshots on attachments. We received screenshots from security consultant company.
While we are researching security articles on Pega, we reached the link below.
There are some categories named SubmitObfuscatedURL, Urlencryption and ErrorOnInvalidThreadName. Article says that all of these 3 categories must be applied before production. And I guess ErrorOnInvalidThreadName is related to our case. (Rejects requests that contain invalid characters in the threadname of the URL that potentially can be malicious, for example, symbol characters.) Or are there other techniques to prevent XSS requests ?
***Edited by Moderator Marissa to update platform capability tags****
***Moderator Edit-Vidyaranjan: Updated SR details***