Skip to main content
Contact a Moderator

Question

10
Replies
3550
Views
 praveen byrraju (praveenb227)
Cognizant
Lead System Architect
Cognizant
BE
praveenb227 Member since 2012 1 post
Cognizant
Posted: March 22, 2017
Last activity: May 11, 2017
Posted: 22 Mar 2017 13:34 EDT
Last activity: 11 May 2017 3:22 EDT
Closed
Solved

Using "mode=literal" can expose the system to cross site scripting attacks - use with caution.

Hi All,

i have imported XSD in pega 7.2.2 version for one of our requirement through Connector and Metadata wizard.

System automatically created parse rules and XML stream rules. For all the XML stream rules we have got severe warnings "Using "mode=literal" can expose the system to cross site scripting attacks - use with caution."

when i check mapping i did not see any mode mentioned as literal all the modes mentioned as standard. but when i check XML source mode mentioned as "literal".

Pega 7.2.2:

<pega:r n=".CompanyName" m="literal"/>

In 6.3 if mapping mode is "Standard" in the XML source mode mapped as "normal".

<ns1:Notes><pega:reference name=".Notes" mode="normal"/>

I can see a difference in automated generate XML.is this some product issue in pega 7.2.2.

we have justified warning in development environemt. will it causes any security issues in production level.

Thanks.

Data Integration Security
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.
Posted: 4 years ago
Posted: 23 Mar 2017 7:52 EDT
Shanthini Charles (Shanthini_Charles)
PEGA
Principal Technical Solutions Engineer
Pegasystems Inc.
IN

Hello Praveen,


Yes this is a bug in PRPC 7.2.2 version and an effort is made to work on these changes to be reverted by the product team.


The reason behind making the mode to literal was when using any special characters such as ' or + symbol in the XML stream it gets encoded to their ascii values inorder to retain its actual values modified it to literal mode. 


However on the node you can specify the mode to be Normal which would not result in any warnings.


As these are warnings and extra care must be taken to ensure that this area is secure from outside access or interference


Regards,


Shanthini Charles

Accepted Solution

Posted: 4 years ago
Posted: 23 Mar 2017 8:17 EDT
Umamaheshwar Reddy Midthuru (Mahesh Midthuru)
PEGA
Senior Software Solutions Engineer
Pegasystems Inc.
US

Hi Praveen,


Adding to the Shantini explanation the change from mode=literal to normal in XML stream for v7.2.2 is delivered via. HotFix-33128 and you can raise an SR with GCS team for this change.


Right now the status of this HotFix is delivered to end user and not yet confirmed by the end user.


Hope this information might be helpful to you.


Regards


Mahesh
Posted: 4 years ago
Posted: 23 Mar 2017 8:49 EDT
Lochana Durgada Vijayakumar (Lochan_DV)
MOD
Lead Technical Documentation Specialist
Pegasystems Inc.
IN

Hi Praveen,


Let us know if you do log an SR for this and its ID. That way we can track it and follow-up this discussion with the resolution.


Thank you!
Posted: 4 years ago
Posted: 11 May 2017 3:22 EDT
Lochana Durgada Vijayakumar (Lochan_DV)
MOD
Lead Technical Documentation Specialist
Pegasystems Inc.
IN

Hello,


HFix-33128 was generated for Pega 7.2.2


Here's the related Support Article: XML Stream: Mode getting converted from normal to literal


You could raise an SR to check if this HFix can be modified to be used for Pega 7.2.1. Do let us know the SR number here if you open one with Pega Support.


Thank you,

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice