Option to restrict specific HTML patterns as input data in CA PPM

Document ID : KB000006130
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

CA PPM already prevents cross site scripting(XSS) attacks by providing options to validate user input where the input is validated against a set of XSS string patterns.

Some customers would want to also validate the user input against specific HTML patterns so that certain HTML tags like <a> (anchor tag) are restricted as input values or parameter values in URLs.

 

When input validation is performed against the set of HTML patterns and if a match is found the input values are escaped. Escaping the characters instructs the browser to ignore the HTML tags in the input values and instead be treated as text. This action helps ensure that the user input that is returned to the browser is plain text instead of active HTML. 

Environment:
CA PPM 15.1
Cause:

This is a bug CLRT-81758 and CLRT-81759 and fixed in 15.1 Patch 4 and 15.2 

Resolution:

 

This HTML pattern detection is turned OFF by default and will have to be turned ON if needed by using the option RESTRICT.APP.HTML

To change the RESTRICT.APP.HTML option, update the CMN_OPTION_VALUES database table using the following SQL statement

update cmn_option_values set value='true' where option_id = (select id from cmn_options where option_code='RESTRICT.APP.HTML')

Once the above query is run the systemOptions cache (highlighted in below image) needs to be cleared from the System Caches page at <HOSTNAME>/niku/nu#action:security.caches or the CA PPM App Server needs to be restarted. 

1.png

 

Also further HTML patterns can be added by using the option CMN.HTML.PATTERNS

The following example statements add the new pattern <img> to the CMN.HTML.PATTERNS option:

Oracle:

CMN_OPTION_VALUES_INS_SP('CMN.HTML.PATTERNS','true','true',' <img[^>]*src[\s]*=[^>]*>',1); 

MSSQL:

 

EXEC CMN_OPTION_VALUES_INS_SP 'CMN.HTML.PATTERNS','true','true','<img[^>]*src[\s]*=[^>]*>',1

 

Additional Information:

Note: Any existing links that are already injected should be manually deleted, since the solution only prevents any new injections.