search cancel

SmPostPreserve encoding

book

Article ID: 15589

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



Siteminder's POST preservation functionality allows a user's POST data to be stored in case they are redirected for authentication in response to a POST request.  This is done by placing the POST data into a variable called SmPostPreserve.  Is this SmPostPreserve value encoded or encrypted, and if so, will the value ever contain the following characters?

<,>,&,'," 

Environment

All supported releases of Siteminder/Single Sign On

Resolution

The SmPostPreserve value is both encrypted and Base64 encoded.  As the Base64 chars only include ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=, the XSS characters listed in the question (<,>,&,',") would never be part of the SmPostPreserve value.