BadCSSChars ACO parameter is not working when parameter value contains a single quote character (')

book

Article ID: 7145

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We have noticed a Web Agent was not properly applying the BadCSSChars ACO parameter to override the default character set for CSS files, and we weren't seeing any error or warning in the logs. After checking the current ACO settings, we noticed we have introduced a single quote character by mistake:

badcsschars='<,>,%22

Why is this happening? How could we add a single quote if we need it?

Cause

By default, the BadCSSChar ACO parameter supports <,>,' set of characters, and this parameter does not interpret the single quotation mark (') if it is entered as an ASCII character.

Environment

Web Agent R12.52 SP1 CR02

Resolution

To include the singleĀ quotation mark as a bad cross-site scripting character, enter the hexadecimal equivalent of the ASCII character, which is %27.

Additional Information

Help to prevent attachs - BadCSSChar ACO parameter