Using 'FCCHTMLEncodingChars' to mitigate XSS attacks using " or %22
search cancel

Using 'FCCHTMLEncodingChars' to mitigate XSS attacks using " or %22


Article ID: 273074


Updated On:




Most cross-site scripting  (XSS) attacks can be mitigated by populating the appropriate value in one of the CSS Checking Agent Configuration Object (ACO) parameters.

CSSChecking: Enables/Disables CSSChecking.  When enabled the web agent rejects requests with the following characters:

  • Left and right angle brackets (< >)
  • Single quote  (')

BadCssChars: Overrides the default cross-site scripting character set (above) with the characters of your choice. Include the entire string of characters that you want. For example, include '\' to avoid Java script attacks.

BadQueryChars: Specifies characters that the Web Agent prohibits in the query string portion (following the '?') in a URL.

BadFormChars: Specifies the characters that the Web Agent blocks before using them as output on a form. If enabled and if the agent name part of the URL has one or more characters that are specified in this parameter

BadUrlChars: Specifies the character sequences that cannot be used in URL requests. The Web Agent checks the characters in the URL that occur before the "?" character against the list in this parameter. If any of the specified characters are found, the Web Agent rejects the request.


CSSChecking:      [yes|no]
BadCssChars:      <,>,',;,),(,&,+,%00
BadQueryChars   <,>,',;,),(,&,+,%00
#BadFormChars   <,>,&,%22
BadUrlChars:        //,./,/.,/*,*.,~,\,%00-%1f,<,>,',;,),(,&,+,%7f



COMPONENTS: Web Agent; Access Gateway



Siteminder is configured to only reject the following by default:

CSSChecking = yes

    • Left and right angle brackets (< >)
    • Single quote  (')


It is left to the Siteminder Administrator to harden the environment in the manner that best meets the needs of their organization.  This is done because the characters used in various applications varies from environment to environment.  Each organization will need to determine what it needs to allow and what it needs to block.



Set the following in the Agent Configuration Object (ACO):

FCCHTMLEncoding = no
FCCHTMLEncodingChars = %22,%26,%27,%3c,%3e,%5c


Additional Information