Question
Using "mode=literal" can expose the system to cross site scripting attacks - use with caution.
Hi All,
i have imported XSD in pega 7.2.2 version for one of our requirement through Connector and Metadata wizard.
System automatically created parse rules and XML stream rules. For all the XML stream rules we have got severe warnings "Using "mode=literal" can expose the system to cross site scripting attacks - use with caution."
when i check mapping i did not see any mode mentioned as literal all the modes mentioned as standard. but when i check XML source mode mentioned as "literal".
Pega 7.2.2:
<pega:r n=".CompanyName" m="literal"/>
In 6.3 if mapping mode is "Standard" in the XML source mode mapped as "normal".
<ns1:Notes><pega:reference name=".Notes" mode="normal"/>
I can see a difference in automated generate XML.is this some product issue in pega 7.2.2.
we have justified warning in development environemt. will it causes any security issues in production level.
Thanks.
Thanks Charles,
really useful information.
Is this Hotfix applicable for PRPC 7.2.1? same warning is show in PRPC 7.2.1
Hi Praveen,
Adding to the Shantini explanation the change from mode=literal to normal in XML stream for v7.2.2 is delivered via. HotFix-33128 and you can raise an SR with GCS team for this change.
Right now the status of this HotFix is delivered to end user and not yet confirmed by the end user.
Hope this information might be helpful to you.
Regards
Mahesh
Thanks Mahesh.
Hi Praveen,
Let us know if you do log an SR for this and its ID. That way we can track it and follow-up this discussion with the resolution.
Thank you!
Sure Lochan,
I will raise an SR and update you on the same.
Hi,
we have installed HotFix-33128 for the same issue. Now issue resolved.
is this Hfix for 7.2.2 version? As we are getting same warning in Pega 7.2.1.
Hello,
HFix-33128 was generated for Pega 7.2.2
Here's the related Support Article: XML Stream: Mode getting converted from normal to literal
You could raise an SR to check if this HFix can be modified to be used for Pega 7.2.1. Do let us know the SR number here if you open one with Pega Support.
Thank you,
Hello Praveen,
Yes this is a bug in PRPC 7.2.2 version and an effort is made to work on these changes to be reverted by the product team.
The reason behind making the mode to literal was when using any special characters such as ' or + symbol in the XML stream it gets encoded to their ascii values inorder to retain its actual values modified it to literal mode.
However on the node you can specify the mode to be Normal which would not result in any warnings.
As these are warnings and extra care must be taken to ensure that this area is secure from outside access or interference
Regards,
Shanthini Charles