Question
Using "mode=literal" can expose the system to cross site scripting attacks - use with caution.
Hi All,
i have imported XSD in pega 7.2.2 version for one of our requirement through Connector and Metadata wizard.
System automatically created parse rules and XML stream rules. For all the XML stream rules we have got severe warnings "Using "mode=literal" can expose the system to cross site scripting attacks - use with caution."
when i check mapping i did not see any mode mentioned as literal all the modes mentioned as standard. but when i check XML source mode mentioned as "literal".
Pega 7.2.2:
<pega:r n=".CompanyName" m="literal"/>
In 6.3 if mapping mode is "Standard" in the XML source mode mapped as "normal".
<ns1:Notes><pega:reference name=".Notes" mode="normal"/>
I can see a difference in automated generate XML.is this some product issue in pega 7.2.2.
we have justified warning in development environemt. will it causes any security issues in production level.
Thanks.
Hello Praveen,
Yes this is a bug in PRPC 7.2.2 version and an effort is made to work on these changes to be reverted by the product team.
The reason behind making the mode to literal was when using any special characters such as ' or + symbol in the XML stream it gets encoded to their ascii values inorder to retain its actual values modified it to literal mode.
However on the node you can specify the mode to be Normal which would not result in any warnings.
As these are warnings and extra care must be taken to ensure that this area is secure from outside access or interference
Regards,
Shanthini Charles