This content has been archived and is no longer being maintained.

Table of Contents

Article

Troubleshooting: Errors when classic URLs are not replaced by SafeURLs

Summary

PRPC 6.2 SP2 introduced performance improvements to the RedirectAndRun activity and the SafeURLJavaScript Package, maintaining the state of Thread context. These changes affect landing pages, particularly those affected by an upgrade to PRPC 6.2 SP2 or later releases. Wherever you create new Threads, for example, opening a portal or starting an interaction, using classic style URLs instead of using SafeURL for obfuscation, you get errors after switching context to the new Thread. You can experience the errors when upgrading to PRPC 6.2 SP2 or later releases or when installing PRPC 6.2 SP2 or later releases for the first time.

Scenario

For example, the Add button on some Customer Process Manager (CPM) landing pages does not work as expected because of the unexpected context change from the Landing Page Thread context to the Developer Thread context. The problem was reported for the following CPM landing pages: Interaction Tasks, Interaction Driver, Interaction Types, Service Types, and Service Accelerator.

Errors

Retaining classic style URLs and not using SafeURLs can trigger errors such as the following:

@baseclass.harnessname cannot be loaded

Internet Explorer cannot display the webpage.

The second example error occurs when you try to open a modal window.

Explanation

Introduced in PRPC 5.3 SP1, SafeURL is a UI class that is extended from Hashtable. Safe URL provides functions to assemble, encode, and return URLs and Query strings. SafeURL allows you construct URLs by component, adding the activity and, if needed, the parameters individually. Using SafeURL when constructing HTTP query strings and URLs ensures that they are constructed properly.

To avoid security vulnerabilities, the best practice is to construct every URL using the SafeURL object.

For basic use, when an activity has no parameters, it’s enough to pass the activity class name and the activity name in the constructor as a string separated by dot (.).

If an activity accepts parameters, they are added using the put() method. After that, a SafeURL object might be converted to a string representation using the toURL() method.

For example, calling the ShowView activity takes three parameters.

var oSafeURL = <strong>new</strong> SafeURL(<span class="comment-text">"Rule-Obj-ListView.ShowView"</span>);
oSafeURL.put(<span class="comment-text">"ViewClass", "PegaCA-Work"</span>);
oSafeURL.put(<span class="comment-text">"ViewPurpose","CAMyRecentWork"</span>);
oSafeURL.put(<span class="comment-text">"pyAction","Refresh"</span>);

Refer to the following frequently used SafeURL APIs in the safeURL.js rule on your PRPC system.

function SafeURL(ActivityName, reqURI)
This function creates a SafeURL object.

SafeURL.prototype.nullify = function()
This method nullifies the SafeURL object to avoid memory leaks when the value contains object references.

SafeURL.prototype.toURL = function()
This function converts the object into a string of key, value pairs (including the pyActivity or pyStream), each separated by an ampersand (&) that is used in URL concatenation and returns the encoded result.

Suggested Approach

Follow these guidelines and examples to make sure SafeURL enables obfuscation and prevents errors when Thread context changes. SafeURL needs to replace instances of URL construction using classic style.

Replace any occurrence of URL construction that is classic style with SafeURL.

/* classic style; string url */

String oURL = <span class="comment-text">"?pyActivity=CPM-Landing-CPMInteractions-IDTasks.CPMLPShowAddIntentTaskForm"</span>;

window.open(oURL,null, [window parameters]);

/* change to use SafeURL */

var oSafeURL = <strong>new</strong> SafeURL(<span class="comment-text">"CPM-Landing-CPMInteractions-IDTasks.CPMLPShowAddIntentTaskForm"</span>);

window.open(oSafeURL.toURL(), null, [window parameters]);

Nullify the SafeURL object after its use to avoid memory leaks when the value contains object references.

oSafeURL.nullify();

window.open(oSafeURL.toURL, <span class="comment-text">"YourWindowName"</span> [,window parameters]);

Alternatively, use the desktop wrapper pega.u.d.openUrlInWindow in place of window.open. 

openUrlInWindow(oSafeURL.toURL,<span class="comment-text">"YourWindowName"</span> [,window parameters]);

window.open() does not require you to specify the window name. However, you must specify a window name for openUrlInWindow; otherwise, a JavaScript error is thrown.

Similarly, verify all occurrences where URL is used (for example, window.open and pega.util.Connect.asyncRequest) and change them to SafeURL if classic style is used.

Convert any occurrences where string url is received as a function parameter to a SafeURL using SafeURL createFromURL(urlparams).toURL();.

Additional Information

URL obfuscation - definition

url JavaServer Page tag

Published May 8, 2014 — Updated October 2, 2015

Have a question? Get answers now.

Visit the Pega Support Community to ask questions, engage in discussions, and help others.