Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 srujana medi (srujanam6200)
S & P Global Company Ltd

S & P Global Company Ltd
IN
srujanam6200 Member since 2019 5 posts
S & P Global Company Ltd
Posted: Oct 10, 2020
Last activity: Sep 13, 2021
Posted: 10 Oct 2020 10:26 EDT
Last activity: 13 Sep 2021 2:47 EDT
Closed

Vulnerable fix for pyUnsafeURL

 We have few HTML Fragments with code snippet with below patterns, which throwing pyUnsafeURL vulnerability when Rule security vulnerability tool is ran.

1) var var_name = <some string>

            var_name = var_name.replace('a','b');

2) var var_name = pxReqURI + "?pyActivity=A-B-C.Act_Name&tabname=Tab_1";

 For the second pattern we have tried oSafeURL as below but still it showing the vulnerability.

            var oSafeURL = new SafeURL("A-B-C.Act_Name");

            oSafeURL.put("tabname","Tab_1");

            var var_name = oSafeURL.toURL();

   But still we are seeing this snippet in vulnerability list.

 

Can someone please provide an alternative for these patterns to avoid vulnerability.

 

***Edited by Moderator: Pooja to update type to product***
To see attachments, please log in.
Pega Platform 7.4
Security
Financial Services
Experience Designer

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice