In our Connect-HTTP Upload document service, we have a field called DOCUMENT-CONTENT, which takes document content streame in Base64 encoded format. We need to pass the attach document stream to the DOCUMENT-CONTENT field to store the document.
After dubugging request XML sent to the network we found that all the '+' signs in the DOCUMENT-CONTENT field have replaced with '+'. Following a pdn article (https://community.pega.com/support/support-articles/plus-sign-pystatuslabel-shown) I found, this is due to a defect in Pegasystems’ rules that the label which contains '+' gets encoded twice due to which it becomes ' &#43;'. This gets resolved in UI as '&43#;'. This problem has been fixed in Pega 7.1.9 for labels but problem seems to exist for integrations. Can someone please assist?
As a work around we have changed Mapping Mode of Document_Content field in the XML Stream rule from Standard to XML Literal. Not sure at this stage will this violates security as we getting a severe warning (Using "mode=literal" can expose the system to cross site scripting attacks - use with caution). But our service is working. If you can provide a better approach, most welcome.
Posted: 5 years ago
Posted: 24 Apr 2017 11:46 EDT
Marissa Rogers (MarissaRogers)
Senior Knowledge Management Specialist
I did a search on the warning you are receiving "Using "mode=literal" can expose the system to cross site scripting attacks - use with caution" and came up with this post where a HotFix was requested. Does this apply to your question?
Posted: 5 years ago
Posted: 17 May 2017 7:46 EDT
Prashant Jain (Prashant_Jain)
The linked post doesn't apply to us as no automatic mode conversion is happening with our code.
Rather, I have explicitly and additionally encoded my document content field (additional to the automatic encoding done by PRPC). This ensures the document content passed to the service contains no special characters.
The approach may have disadvantage as the external system can't view our document but this suits our requirement as we want to display documents from and within Pega only so this is absolutely fine for us.