LinkedIn
Copied!

Table of Contents

PublicAPI methods for XSS filtering

Output filtering involves replacing sensitive characters in the source HTML code such as angle brackets (< and >), single and double quotation marks, ampersands, and others by the equivalent HTML character entities, such as &lt; for < or &apos; for ' an apostrophe. If the source text is legitimate, output filtering does not prevent correct HTML rendering by the browser.

Use these two Java methods to provide output filtering:

  • StringUtils.crossScriptingFilter(aValue) – Filters the contents of aValue and returns a filtered (encoded) version. Available in PRPC 5.3 SP1 and later versions.
  • StringUtils.reversibleCrossScriptingFilter(aValue) – Filters the contents of aValue and reverse-filters the value in the server if the same value is resubmitted in subsequent requests. This method ensures that the friendly user’s intent is preserved.

Use reversibleCrossScripting() when the internal clipboard value is not to be modified, but the value sent to the browser is to be filtered. For example, if an application user needs to search a customer master file for a customer named Molly O'Brian, the SQL statement (on the server) needs to process using the apostrophe (single quotation mark) character ('), but the browser display uses the HTML entity &apos; or an equivalent. In this case, a separate escape mechanism for SQL also applies, converting the name O'Brian to O\'Brian.

The following examples are portions of manually created stream rules that are modified to filter a value using these two PublicAPI functions in an inline Java scriptlet.

Example 1

Incorrect

<%tools.appendString(tools.getActiveValue()); %>

Correct

<%tools.appendString(StringUtils.crossScriptingFilter(tools.getActiveValue()));%>

or

<%tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getActiveValue()));%>

Example 2

Incorrect

<%tools.appendString(tools.getSaveValue("savename”)); %>

Correct

<pega:reference name=$save(savename) />

or

<%tools.appendString(StringUtils.crossScriptingFilter(tools.getSaveValue("savename”))); %>

or

<%tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getSaveValue("savename”))); %>

Example 3

Incorrect

 <%tools.appendString(tools.getParamValue("paramname")); %>

Correct

<pega:reference name=param.paramname/>

or

<%tools.appendString(StringUtils.crossScriptingFilter(tools.getParamValue("paramname"))); %>

or

<% tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getParamValue("paramname"))); %>

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.