When do attachments to tickets in Service Desk Manager, users could insert some js script into the attachment URL and/or name which causes XSS issues.
This knowledge article discusses what Service Desk manager administrators can do to prevent this kind of XSS issues.
Service Desk Manager 17.3 and higher
1. open web.cfg file from SDM-install-directory\bopcfg\www
Windows_SecureValidator.AttmntFileName ^[^\/\\\:\*\?\"\<\>\|]+$
SecureParameter.SET.ATTMNT_NAME AttmntFileName
save.
2. copy detail_in.htmpl file from SDM-install-directory\bopcfg\www\htmpl\web\employee to SDM-install-directory\site\mods\www\htmpl\web\employee IF you don't have detail_in.htmpl file in SDM-install-directory\site\mods\www\htmpl\web\employee already
edit deatil_in.htmpl in SDM-install-directory\site\mods\www\htmpl\web\employee
change
document.writeln("</TD>");
document.write("<TD CLASS=detailro ALIGN=left VALIGN=top TITLE=$list1.description>");
document.write(nx_unescape('<PDM_FMT JUSTIFY=TRUNCATE WIDTH=40 ESC_STYLE=JS2>$list1.description</PDM_FMT>'));
document.writeln("</TD>");
to
document.writeln("</TD>");
document.write("<TD CLASS=detailro ALIGN=left VALIGN=top TITLE="+nx_html_encode('$list1.description')+">");
document.write(nx_unescape("<PDM_FMT JUSTIFY=TRUNCATE WIDTH=40 ESC_STYLE=JS2>"+nx_html_encode('$list1.description')+"</PDM_FMT>"));
document.writeln("</TD>");
(that is around line 834). save
3. restart Service Desk