Skip to main content

Support Doc

 Mary Carbonara (MaryCarbonara) Principal Knowledge Management Specialist
Pegasystems Inc.
US
MaryCarbonara Member since 2010 216 posts
Posted: Sep 1, 2023
Last activity: Sep 16, 2024
Posted: 1 Sep 2023 13:14 EDT
Last activity: 16 Sep 2024 7:54 EDT

Preventing risk of XSS attack when specifying Label controls [SDR-A71]

Contributed by Mateusz Pyzik

Scenario

You have designed your application to display text (pxTextInput) containing HTML tags using a Label control. The Label text is formatted, instead of displaying as plain text.

By injecting HTML (rather than JavaScript) in pxTextInput, you can give your Labels a more aesthetic look in your application. For example, you might want the name of your organization to display in red text, instead of black text.  

Not encoding a property value of a Label control with HTML poses the risk of a cross-site scripting (XSS) attack.

Explanation

You can enable or disable Label formatting by specifying a Dynamic System Setting (DSS) or by validating pxTextInput to prevent the insertion of HTML tags at all, but this requires some custom configuration.

Environments

The problem was reported in the following on-premises environments:

  • Pega Platform™ version 8.3.6
  • Pega Platform version 8.4.4
  • Pega Platform version 8.5.3
  • Pega Platform version 8.6
  • Pega Platform version 8.7.4

Solutions

This issue was resolved in Pega Platform versions 8.4.4, 8.5.3, and 8.6 and later releases.

Before you begin: Read Mitigating common security vulnerabilities.

Best practice

If you are using a Pega Platform version prior to Pega 8.8, update your deployment. See Keeping current with Pega.

Go to the Pega Support Center Pega Platform Resolved Issues and search for the following items with the title Cross-site scripting protection update:

Resolved Issues for Pega Platform 8.4.4 ISSUE-614989 and ISSUE-612993, Cross-site scripting protections have been updated for labels
Resolved Issues for Pega Platform 8.5.3 ISSUE-598902, ISSUE-614990,  ISSUE-612994, ISSUE-620655, Cross-site scripting protections have been updated for labels
Resolved Issues for Pega Platform 8.6 ISSUE-598901, ISSUE-612992, ISSUE-620656, Cross-site scripting protections have been updated for labels

Alternative solution

If you are using Pega Platform version 8.7.4, you can disable Label formatting with HTML by completing the following steps:

  1. Set the DSS:

Owning Ruleset: Pega-UIEngine
Setting Purpose: pyPreventXSSInLabel
Value: true

  1. Save the record.
  2. Resave the affected sections.

Related content

Pega Documentation

Mitigating common security vulnerabilities

About the bulk Revalidate and Save tool

Using the Revalidate and Save tool

Pega Support Documents

Supported Content Security Policy (CSP) for Traditional UI and Constellation UI

Rich Text Editor issues caused by DOMPurifier filters for security

25Aug2023 This Support Document was requested by SDR-A71.
25Aug2023 Published only to work around the Drupal Save > Draft bug. Future Edit > Publish sessions bypassing Save > Draft will be needed. Watch for Approved - Published revision note.
01Sept2023 Checking to see if Save > Draft saves changes. No, this Moderator Note was not saved. Therefore, I am re-Publishing this SDoc until bug CC-1390 is fixed.
13Sept2023 SDR-A71 is resolved and this Support Document is officially published.
To see attachments, please log in.
Pega Platform 8.7.4
Pega Platform 8.6
Pega Platform 8.5.3
Pega Platform 8.4.4
Pega Platform 8.3.6
Pega Platform
Pega Platform
User Experience
Troubleshooting

Did you find this content helpful?
Yes
No

  • Reply
Posted: 5 months ago
Updated: 5 months ago
Posted: 13 Sep 2024 10:46 EDT
Updated: 16 Sep 2024 7:54 EDT
Marije Schillern (MarijeSchillern)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
GB

@FilippoCasari 8.7.6 was the final patch delivered 29 Sep 2023 and is in  extended support therefore it is no longer receiving  patches

Pega Infinity Patch Calendar

Please update to the latest version to receive the most up-to-date Cross-site scripting protection.

Understanding and avoiding cross-site scripting

Filtering HTML and XML outputs

To see attachments, please log in.

Related content:

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice