Contributed by Mateusz Pyzik
You have designed your application to display text (pxTextInput) containing HTML tags using a Label control. The Label text is formatted, instead of displaying as plain text.
Not encoding a property value of a Label control with HTML poses the risk of a cross-site scripting (XSS) attack.
You can enable or disable Label formatting by specifying a Dynamic System Setting (DSS) or by validating pxTextInput to prevent the insertion of HTML tags at all, but this requires some custom configuration.
The problem was reported in the following on-premises environments:
- Pega Platform™ version 8.3.6
- Pega Platform version 8.4.4
- Pega Platform version 8.5.3
- Pega Platform version 8.6
- Pega Platform version 8.7.4
This issue was resolved in Pega Platform versions 8.4.4, 8.5.3, and 8.6 and later releases.
If you are using a Pega Platform version prior to Pega 8.8, update your deployment. See Keeping current with Pega.
Go to the Pega Support Center Pega Platform Resolved Issues and search for the following items with the title Cross-site scripting protection update:
Resolved Issues for Pega Platform 8.4.4 ISSUE-614989 and ISSUE-612993, Cross-site scripting protections have been updated for labels
Resolved Issues for Pega Platform 8.5.3 ISSUE-598902, ISSUE-614990, ISSUE-612994, ISSUE-620655, Cross-site scripting protections have been updated for labels
Resolved Issues for Pega Platform 8.6 ISSUE-598901, ISSUE-612992, ISSUE-620656, Cross-site scripting protections have been updated for labels
If you are using Pega Platform version 8.7.4, you can disable Label formatting with HTML by completing the following steps:
- Set the DSS:
Owning Ruleset: Pega-UIEngine
Setting Purpose: pyPreventXSSInLabel
- Save the record.
- Resave the affected sections.