When do attachments to tickets in Service Desk Manager, users could insert some js script into the attachment URL and/or name which causes XSS issues.

This knowledge article discusses what Service Desk manager administrators can do to prevent this kind of XSS issues.

Service Desk Manager 17.3 and higher

1. open web.cfg file from SDM-install-directory\bopcfg\www

Windows_SecureValidator.AttmntFileName ^[^\/\\\:\*\?\"\<\>\|]+$ 
SecureParameter.SET.ATTMNT_NAME AttmntFileName 

 save.

2. copy detail_in.htmpl file from SDM-install-directory\bopcfg\www\htmpl\web\employee to SDM-install-directory\site\mods\www\htmpl\web\employee IF you don't have detail_in.htmpl file in SDM-install-directory\site\mods\www\htmpl\web\employee already

edit deatil_in.htmpl in SDM-install-directory\site\mods\www\htmpl\web\employee

change

document.writeln("</TD>");
            document.write("<TD CLASS=detailro ALIGN=left VALIGN=top TITLE=$list1.description>");
            document.write(nx_unescape('<PDM_FMT JUSTIFY=TRUNCATE WIDTH=40 ESC_STYLE=JS2>$list1.description</PDM_FMT>'));
            document.writeln("</TD>");

to

document.writeln("</TD>");
            document.write("<TD CLASS=detailro ALIGN=left VALIGN=top TITLE="+nx_html_encode('$list1.description')+">");
            document.write(nx_unescape("<PDM_FMT JUSTIFY=TRUNCATE WIDTH=40 ESC_STYLE=JS2>"+nx_html_encode('$list1.description')+"</PDM_FMT>"));
            document.writeln("</TD>");

(that is around line 834). save

3. restart Service Desk