Posted: 18 Mar 2021 22:04 EDT Last activity: 27 Mar 2021 15:28 EDT
% sign gets scrambled as % with getRuleMessage
"%" sign gets scrambled as "%" when you use @getRuleMessage RUF. In this post, I am sharing how to fix the issue.
Here is how to reproduce the error.
1. Create a Message rule that takes Text parameter.
2. Pass "%" sign to the Message rule by @getRuleMessage RUF. You can use Log-Message, or Page-Set-Message, or any method to print.
3. "%" sign is automatically converted into "%" as below.
This is the side effect of encoding some of the characters in the HTTP request to avoid Cross-site Scripting (XSS) attacks. pzpega_tools_security.js does this part.
How to fix it
This issue will be fixed in the future release. If you are using an old version prior to the fixed release, you can still perform a local change by other two means below. Either approach is fine. The difference is, (2) approach doesn't do cross script filtering. Cross script filtering was added to getRuleMessage because it is called in the out-of-the-box activity during log in. If you are planning to use it externally, use (1) approach as it is more secure. Also be noted that FormatMessage needs the Message rule to be @baseclass, while getRuleMessage can process Message rule of any class.
(1) Put the message into a parameter and use restoreFilteredString API to decode it.
@KenshoTsuchihashi - I tried using @getRuleMessage(tools,"TestMessg\t"+"%") in my V851 and I see the value is coming properly and I didn't see "%" in place of %. Here is the sample Parameter value set done. Not sure this issue is addressed from V85 and above or may be am I missing something here?