search cancel

BadCSSChars ACO parameter is not working when parameter value contains a single quote character (')


Article ID: 7145


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We have noticed a Web Agent was not properly applying the BadCSSChars ACO parameter to override the default character set for CSS files, and we weren't seeing any error or warning in the logs. After checking the current ACO settings, we noticed we have introduced a single quote character by mistake:


Why is this happening? How could we add a single quote if we need it?


Web Agent R12.52 SP1 CR02


By default, the BadCSSChar ACO parameter supports <,>,' set of characters, and this parameter does not interpret the single quotation mark (') if it is entered as an ASCII character.


To include the singleĀ quotation mark as a bad cross-site scripting character, enter the hexadecimal equivalent of the ASCII character, which is %27.

Additional Information

Help to prevent attachs - BadCSSChar ACO parameter