Clarity: HTML special character is converted to its corresponding HTML code

book

Article ID: 141735

calendar_today

Updated On:

Products

Clarity PPM On Premise Clarity PPM SaaS

Issue/Introduction

HTML special character is converted to its corresponding HTML code on Save.

This can be reproduced on many fields on many objects.


STEPS TO REPRODUCE: 

1. Go to Risks page.
2. Create a new Risk or edit an existing. 
3. In Description field type in "PPM can't go live with new version --> Paper reporting required".
4. Click Save.

Expected Result: Value stays as "PPM can't go live with new version --> Paper reporting required"
Actual Result: Value changes to "PPM can't go live with new version --> Paper reporting required"

Cause

This has been reported as Defect DE52267

Environment

Clarity PPM 15.x

Resolution

SE (Sustaining Engineering) has determined this is not a defect. This is intended as per the current design.

Clarity has a protection against XSS protection, hence in order to mitigate the same it converts HTML Character to HTML Code.
We only allow the comment tag ("-->") in case of a gel script.

Running the below query will list out all the XSS patterns and clarity does a pattern match and converts the HTML character to HTML code.

Select * from CMN_OPTION_VALUES where OPTION_ID = (select ID from CMN_OPTIONS where OPTION_CODE = 'CMN.XSS.PATTERNS')