SmPostPreserve encoding

Document ID : KB000015589
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Siteminder's POST preservation functionality allows a user's POST data to be stored in case they are redirected for authentication in response to a POST request.  This is done by placing the POST data into a variable called SmPostPreserve.  Is this SmPostPreserve value encoded or encrypted, and if so, will the value ever contain the following characters?

<,>,&,'," 

Environment:
All supported releases of Siteminder/Single Sign On
Answer:

The SmPostPreserve value is both encrypted and Base64 encoded.  As the Base64 chars only include ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=, the XSS characters listed in the question (<,>,&,',") would never be part of the SmPostPreserve value.