Using pzGetDataPageJSON, JavaScript API pega.api.ui.actions.getDataPage()
Hi All,
Referring to: https://support.pega.com/support-doc/pega-security-advisory-d22-e22-f22-vulnerabilities-%E2%80%93-hotfix-matrix
It is mentioned that usage of pzGetDataPageJSON or JavaScript API pega.api.ui.actions.getDataPage() will leads to Cross-site scripting (XSS) is an attack.
Can someone from community helps to understand whether this is used in in the Product?
If not, what is the use case to use this?
How to use this?
How to check the issue before and after the change?
Thanks
***Edited by Moderator Marije to remove INC-247736 Support Case Details ***
Pegasystems Inc.
PL
The E22 is about the XXS which was able to execute with pzGetDataPageJSON.
Pega Platform OOTB does not use the pzGetDataPageJSON as there are other options to do the same and it was in Pega for backward compatibility. But you might see this in use if you have some custom framework.
To resolve the possibility to execute XSS you should use pyPublicDataPageWhiteList as a clear page or only contain pages that you have secured in your application and that have business requirements to use with pzGetDataPageJSON. The same was described in Article Pega's Advisory in the lower part of it.
NCS Pte. Ltd
SG
Hi @KrzysztofWan: Thanks for sharing that this is not used in PEGA OOTB.
Can you please help to explain for what features of backward compatibility this is to be used?
I'm trying to find a use case where this can be used so that the issue can be tested before and post the hotfix implementation.
Thanks.
Pegasystems Inc.
PL
In the interest of our clients, our internal policy does not allow this information to be made public. You can validate that the PRPortletService and PortalServer records, listed in the advisory, are removed.
Updated: 10 Nov 2022 21:28 EST
NCS Pte. Ltd
SG
Hi @KrzysztofWan: E22 is a public advisory from PEGA as below.
Sorry if the confusion is because of wrong support case ref. Actual support ID is INC-247400
Thanks.
Pegasystems Inc.
PL
While the G22 and E22 are different the same policy applies here.
If you have an empty pyPublicDataPageWhiteList you will have your application secured against this XSS finding.
NCS Pte. Ltd
SG
Hi @KrzysztofWan: Still it doesn't answers my initial query. I got the understanding that this helps systems against XSS findings. But I'm trying to evaluate how to validate in applications. So I'm trying to find answers for below.
What is the use case to use this?
How to use this?
How to check the issue before and after the change?
Thanks.
Pegasystems Inc.
PL
In the interest of our clients, our internal policy does not allow this information to be made public.