Why are < > and ' BadCSSchars by default?

Document ID : KB000011135
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Why are < > and ' the BadCSS default ?

Environment:
r12.0 and above
Answer:

< > and ' are the characters that represent key script syntax in JavaScript. They are the elements that are essential for a CSS attack to succeed. There are other characters that CSS papers warn about, but some of those characters have legitimate purposes in some applications, so we do not want to start including more by default.

For more info, our webagent guide points you to:
http://www.cert.org/advisories/CA-2000-02.html

Additional Information:

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/user-protection-and-tracking/help-prevent-attacks