Skip to main content

Table of Contents

Security guidelines for custom HTML


Only available versions of this content are shown in the dropdown

As a best practice, do not include custom HTML in your application because it is not autogenerated. If you need to use custom HTML, ensure that you take precautions to protect your application from hackers.

The following guidelines can help you minimize the security vulnerabilities in the custom HTML that you create:

  • Use the SafeURL function to generate Pega Platform request URLs in custom JavaScript.

    For more information, see URL JavaServer Page tag.

  • Minimize or remove hidden properties (type=hidden), because these properties are common targets for malicious users.

  • Remove comments or other sensitive information so that users cannot see them. Use <%... instead of <!... to tag comments so that users do not receive comment text.

  • For custom Pega JavaServer Page tags, either omit the mode attribute or set mode=normal.

  • Minimize custom buttons because their URL construction can bypass filtering for potentially hazardous characters.

  • Minimize the use of mode=literal, because the text that it references does not filter potentially hazardous characters.

  • Minimize custom Java steps in activities, especially those that call Parse XML rules, to prevent possible XML injection.

  • Replace dynamic SQL statements with prepared statements that have parameterized queries to prevent possible SQL injection.

  • When using parameters in a JavaServer Page tag or Pega Platform reference tag, use the StringUtils.crossScriptingFilter method.

  • If you are using the inline Microsoft Word editing feature, be aware that it downloads Microsoft Word documents to the user desktop without notification.

  • When deploying a Pega Web Mashup application, consider configuring your deployment as a web node, and use the activity allow list feature to enhance security.

    For more information, see Creating cases from a web mashup.

  • Use strong authentication for Web Mashup users. Do not hardcode credentials in your web mashup gadget.

  • Define Web Mashup security by specifying trusted origins that can use and communicate with the Web Mashup gadget.

    For more information, see Securing your application for mashup communication.

  • Consider securing your application by using the Access Group setting Rule security mode that locks down access to specific features in your application.

    For more information, see Adding custom tools to Access Manager.

  • Consider implementing the when condition pyAllowDoUIAction to further lock down actions that the DoUIAction activity provides.

    For more information, see When form - Completing the Conditions tab.

Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us