BadCSSChars ACO parameter is not working when parameter value contains a single quote character (')
search cancel

BadCSSChars ACO parameter is not working when parameter value contains a single quote character (')

book

Article ID: 7145

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We have noticed a Web Agent was not properly applying the BadCSSChars ACO parameter to override the default character set for CSS files, and we weren't seeing any error or warning in the logs. After checking the current ACO settings, we noticed we have introduced a single quote character by mistake:

badcsschars='<,>,%22

Why is this happening? How could we add a single quote if we need it?

Environment

Web Agent R12.52 SP1 CR02

Cause

By default, the BadCSSChar ACO parameter supports <,>,' set of characters, and this parameter does not interpret the single quotation mark (') if it is entered as an ASCII character.

Resolution

To include the singleĀ quotation mark as a bad cross-site scripting character, enter the hexadecimal equivalent of the ASCII character, which is %27.

Additional Information

Help to prevent attachs - BadCSSChar ACO parameter

Powered by Wolken Software