Applies to Pega Platform™ version 8.5 and later releases
Symptom
Using Pega Platform 8.5 and later releases, you discover that adding the Rich Text Editor (RTE) -- or rules that use the RTE -- to your Pega applications no longer works as it did in Pega Platform releases prior to Pega Platform 8.5.
Explanation
Pega Platform version 8.5 and later versions includes a security patch added in the RTE to sanitize the Document Object Model (DOM) to prevent security vulnerabilities like Cross-Site Scripting (XSS) attacks. The DOMPurifier filtering happens on the client side, where methods filter scripts, attributes, and tags that can contain XSS inside the iframe for the RTE.
Solution
If DOM sanitization is not relevant for your application needs and you want to use the RTE as it was in Pega Platform version 8.3, then add the following setting to the User Work Form to stop the DOM sanitization: window.disableDomPurifier = true;
Scenarios
The following scenarios describe how the problem surfaces in different application development contexts.
Scenario 1 Format of table in paragraph is distorted
Scenario 2 Email styling being removed
Scenario 1 Format of table in paragraph is distorted
After updating your Pega environment from Pega Platform version 8.3 to Pega Platform version 8.6.1, you notice that Paragraph rules containing tables are distorted when displayed in the application user interface.
Scenario 1 Steps to Reproduce distorted table format
- Open a Case and navigate to View Dashboard.
- From the three-dot menu, select .
- For Channel, select POST.
- From the drop-down list, select Recipient.
- For Department, select General Advice and Support.
- For Template, select List of Creditors.
The formatting of tables is distorted. Attempting to adjust the CSS and JavaScript (JS) does not resolve the problem.
Scenario 1 Explanation for distorted table format
Pega Platform version 8.5 introduced DOM sanitization (DOMPurifier) for the RTE to prevent security vulnerabilities like XSS attacks. The DOMPurifier logic removes the link tag from inside the iframe for the RTE; this causes table format distortion.
Scenario 1 Suggested Approach for preventing distorted table format
To prevent distorted table formats in your Pega applications from Pega Platform version 8.5 and later, disable the DOMPurifier filter in the HTML fragment for UserWorkForm as shown in the introductory Solution.
Scenario 2 Email Styling being removed
Your business enterprise cannot send email correspondence from Pega applications because the styling of email messages is incorrect after updating to Pega Platform version 8.5 or later releases.
Your Pega application HTML contains styling for outbound email correspondence. When you navigate to the Manage Email Templates tab for the email messages that you are sending and switch to Simple Rich Text Editor, the HTML styling disappears. The HTML elements persist, but the styling markup is removed.
Scenario 2 Steps to Reproduce lost email HTML styling
- Log in to your Pega application as an administrator.
- Navigate to Manage Email Templates.
- Create a new template: Select Pick Email Template and then select template_1newHTML.
- See the UI buttons.
- Switch the mode from templated email to source only.
- See the styling in the HTML.
- Switch the mode from source only to simple rich text editor.
- Now see the UI buttons.
- Click Source and observe the lack of HTML styling.
Scenario 2 Explanation for lost email HTML styling
The styling issue in the RTE occurs because of the sanitization of RTE tags like link and other tags that are present in Pega Platform version 8.5 to prevent security issues like XSS attacks. For read-only RTE, the DOMPurifier filtering happens on the server side, where methods exist to filter scripts, attributes, and tags that can contain XSS.
Scenario 2 Suggested Approach for lost email HTML styling
To prevent the loss of HTML styling in outbound email messages in your Pega applications from Pega Platform version 8.5 and later, disable the DOMPurifier filter in the HTML fragment for UserWorkForm as shown in the introductory Solution.
Scenario 3 Snippets issues
When you create a new article in the Knowledge portal and add custom snippets tags, the body of the snippet does not display. Only the snippet title displays. The body of the snippet does not display and, sporadically, newly created snippets do not appear in the drop-down list.
Scenario 3 Steps to Reproduce snippets in Knowledge article not displaying
- Create a new custom snippets tag in an article in the Knowledge portal and publish the article.
- Create or update any content in the RTE and try to add a custom snippets tag.
Notice that two problems occur: First, sometimes the newly created and published snippet does not appear in the drop-down list. Secondly, only the snippet title is added in the RTE; the snippet content should be in the RTE, not the snippet title.
Scenario 3 Explanation for snippets in Knowledge article not displaying
The root cause of this problem is a defect or configuration issue in the operating environment. The snippets tag does not work because it was filtered out by the DOMPurify sanitization logic. The DOMPurify logic must be disabled or configured to allow specific custom tags.
Scenario 3 Solution for snippets in Knowledge article not displaying
To prevent or resolve the snippets problem in your Pega applications from Pega Platform version 8.5 and later, disable the DOMPurifier filter in the HTML fragment for UserWorkForm as shown in the introductory Solution. You can also modify the DOMPurifier filter code to allow specific Knowledge Management tags.
Related Content
Understanding cross-site scripting
Public API methods for XSS filtering