Clarity: HTML special character is converted to its corresponding HTML code

Article Id: 141735

Status: Published

Updated On: 19-03-2020 09:32

Products:

Clarity PPM On Premise , Clarity PPM SaaS

Issue/Introduction:

HTML special character is converted to its corresponding HTML code on Save.

This can be reproduced on many fields on many objects.

STEPS TO REPRODUCE:

1. Go to Risks page.
2. Create a new Risk or edit an existing.
3. In Description field type in "PPM can't go live with new version --> Paper reporting required".
4. Click Save.

Expected Result: Value stays as "PPM can't go live with new version --> Paper reporting required"
Actual Result: Value changes to "PPM can't go live with new version --> Paper reporting required"

Cause:

This has been reported as Defect DE52267

Environment:

Clarity PPM 15.x

Resolution:

SE (Sustaining Engineering) has determined this is not a defect. This is intended as per the current design.

Clarity has a protection against XSS protection, hence in order to mitigate the same it converts HTML Character to HTML Code.
We only allow the comment tag ("-->") in case of a gel script.

Running the below query will list out all the XSS patterns and clarity does a pattern match and converts the HTML character to HTML code.

Select * from CMN_OPTION_VALUES where OPTION_ID = (select ID from CMN_OPTIONS where OPTION_CODE = 'CMN.XSS.PATTERNS')