Option to restrict specific HTML patterns as input data in CA PPM

book

Article ID: 6130

calendar_today

Updated On:

Products

CLARITY PPM FOR ITG CLARITY PPM FEDERAL Clarity PPM SaaS - Application Clarity PPM On Premise

Issue/Introduction

CA PPM already prevents cross site scripting(XSS) attacks by providing options to validate user input where the input is validated against a set of XSS string patterns.

Some customers would want to also validate the user input against specific HTML patterns so that certain HTML tags like <a> (anchor tag) are restricted as input values or parameter values in URLs.

 

When input validation is performed against the set of HTML patterns and if a match is found the input values are escaped. Escaping the characters instructs the browser to ignore the HTML tags in the input values and instead be treated as text. This action helps ensure that the user input that is returned to the browser is plain text instead of active HTML. 

Cause

This is a bug CLRT-81758 and CLRT-81759 and fixed in 15.1 Patch 4 and 15.2 

Environment

CA PPM 15.1

Resolution

 

This HTML pattern detection is turned OFF by default and will have to be turned ON if needed by using the option RESTRICT.APP.HTML

To change the RESTRICT.APP.HTML option, update the CMN_OPTION_VALUES database table using the following SQL statement

update cmn_option_values set value='true' where option_id = (select id from cmn_options where option_code='RESTRICT.APP.HTML')

Once the above query is run the systemOptions cache (highlighted in below image) needs to be cleared from the System Caches page at <HOSTNAME>/niku/nu#action:security.caches or the CA PPM App Server needs to be restarted. 

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AK5iAAG" alt="1.png" width="900" height="246">

 

Also further HTML patterns can be added by using the option CMN.HTML.PATTERNS

The following example statements add the new pattern <img> to the CMN.HTML.PATTERNS option:

Oracle:

CMN_OPTION_VALUES_INS_SP('CMN.HTML.PATTERNS','true','true',' <img[^>]*src[\s]*=[^>]*>',1); 

MSSQL:

 

EXEC CMN_OPTION_VALUES_INS_SP 'CMN.HTML.PATTERNS','true','true','<img[^>]*src[\s]*=[^>]*>',1

 

Additional Information

Note: Any existing links that are already injected should be manually deleted, since the solution only prevents any new injections. 

Attachments

1558707828418000006130_sktwi1f5rjvs16qu2.png get_app