Filtering all inputs
Prevent invalid data from entering a work object or a work object attachment. Filter and validate input data as thoroughly as possible, including input that is submitted from browser forms, input from service requests (such as email), and input from connector responses. Do not rely on client-side editing, which is in the browser, because a hacker can easily bypass it. Perform validation in your server-side application logic.
Use the following features to validate individual values:
|Allow lists||Several features let you constrain a property value to one of a fixed list or pattern of values, including the property table edits (local list, field values, class key values) on the General tab in Pega Platform 5.5 and later versions, or the Table Edit tab in earlier releases.|
|Special properties||Select the Cannot be included as an input field check box if the property is always computed from other values.|
|Validation||Identify an edit input rule and an edit validate rule when possible. Do not accept angle brackets, quotation marks, ampersands, or other special characters in fields unless necessary for a sound business reason. For example, the standard validation rule LetterorDigit limits values to only letters and digits. On the PRPC 5.5 property form, the Max Length and Validate fields are displayed on the Advanced tab.|
|Use map value rules, validation rules, and constraints rules to validate inputs.|
|Ensure that files that are uploaded from application user workstations and text files processed by a file listener are checked against viruses.|