Troubleshooting: Errors when classic URLs are not replaced by SafeURLs
For example, the Add button on some Customer Process Manager (CPM) landing pages does not work as expected because of the unexpected context change from the Landing Page Thread context to the Developer Thread context. The problem was reported for the following CPM landing pages: Interaction Tasks, Interaction Driver, Interaction Types, Service Types, and Service Accelerator.
Retaining classic style URLs and not using SafeURLs can trigger errors such as the following:
@baseclass.harnessname cannot be loaded
Internet Explorer cannot display the webpage.
The second example error occurs when you try to open a modal window.
Introduced in PRPC 5.3 SP1, SafeURL is a UI class that is extended from Hashtable. Safe URL provides functions to assemble, encode, and return URLs and Query strings. SafeURL allows you construct URLs by component, adding the activity and, if needed, the parameters individually. Using SafeURL when constructing HTTP query strings and URLs ensures that they are constructed properly.
To avoid security vulnerabilities, the best practice is to construct every URL using the SafeURL object.
For basic use, when an activity has no parameters, it’s enough to pass the activity class name and the activity name in the constructor as a string separated by dot (.).
If an activity accepts parameters, they are added using the put() method. After that, a SafeURL object might be converted to a string representation using the toURL() method.
For example, calling the ShowView activity takes three parameters.
Refer to the following frequently used SafeURL APIs in the safeURL.js rule on your PRPC system.
function SafeURL(ActivityName, reqURI)
This function creates a SafeURL object.
SafeURL.prototype.nullify = function()
This method nullifies the SafeURL object to avoid memory leaks when the value contains object references.
SafeURL.prototype.toURL = function()
This function converts the object into a string of key, value pairs (including the pyActivity or pyStream), each separated by an ampersand (&) that is used in URL concatenation and returns the encoded result.
Follow these guidelines and examples to make sure SafeURL enables obfuscation and prevents errors when Thread context changes. SafeURL needs to replace instances of URL construction using classic style.
Replace any occurrence of URL construction that is classic style with SafeURL.
/* classic style; string url */
String oURL = <span class="comment-text">"?pyActivity=CPM-Landing-CPMInteractions-IDTasks.CPMLPShowAddIntentTaskForm"</span>;
window.open(oURL,null, [window parameters]);
/* change to use SafeURL */
var oSafeURL = <strong>new</strong> SafeURL(<span class="comment-text">"CPM-Landing-CPMInteractions-IDTasks.CPMLPShowAddIntentTaskForm"</span>);
window.open(oSafeURL.toURL(), null, [window parameters]);
Nullify the SafeURL object after its use to avoid memory leaks when the value contains object references.
window.open(oSafeURL.toURL, <span class="comment-text">"YourWindowName"</span> [,window parameters]);
Alternatively, use the desktop wrapper pega.u.d.openUrlInWindow in place of window.open.
openUrlInWindow(oSafeURL.toURL,<span class="comment-text">"YourWindowName"</span> [,window parameters]);
Similarly, verify all occurrences where URL is used (for example, window.open and pega.util.Connect.asyncRequest) and change them to SafeURL if classic style is used.
Convert any occurrences where string url is received as a function parameter to a SafeURL using