String / Large String - Plain Text field is displaying invalid characters on New Interface
search cancel

String / Large String - Plain Text field is displaying invalid characters on New Interface

book

Article ID: 282264

calendar_today

Updated On: 04-18-2024

Products

Clarity PPM On Premise Clarity PPM SaaS

Issue/Introduction

On the New Interface if on any String / Large String - Plain Text based attributes, if inputted text has keywords such as "Alert()" Or "-->" , then it is printing invalid characters, post save. For example, a break / new line is being introduced after the keyword "Alert()", then it is being printed as "Alert(test) \n\n" in the attribute.

For Large String - Rich Text attributes, such keywords "Alert()" Or "-->", are correctly being validated as per the XSS validation pattern match check

STEPS TO REPRODUCE:

1. Create a Custom Investment from Clarity Studio >> Objects, having the following attributes, respectively: String, Large String - Plain Text and Large String - Rich Text. API enable them

2. On the New Interface, access this Custom Investment, in the attributes: String and Large String - Plain Text fields, respectively, input Or copy paste text as shown in the following example:

This is a test .......Alert(test)
.....test is ongoing

3. Repeat the same test on the Large String - Rich Text field

Expected Results :-

The text should be saved as it is entered and displayed accordingly

Actual Results :-

The text is displayed with additional characters, for example in place of new line: "/n" is being visible. 

Example: Referencing Large String - Plain Text & String based attributes:

Example: Referencing Large String - Rich Text based attributes:

 

Environment

Clarity PPM 16.2.1, 16.2.0, 16.1.3 and all valid Clarity versions

Cause

DE78968

Resolution

Post review of this issue, this is considered as working as designed. In this scenario, the string under review has the text: "Alert(Test)" , which is being considered as a script. For String & Large String - Plain Text attributes respectively, during the text submission, the backend security controller is encoding it and is escaping the backslash('\') , quotes , as per expected design. In case of Large String - Rich Text, the texts are correctly being validated as per the XSS validation pattern match check, hence displaying the XSS Validation error on the New Interface

As a workaround it is advised to ensure that the data does not have the restricted Text / Characters as described here

Powered by Wolken Software