Previous Topic: WebLogic ASA Agent Search for Groups Fails (145340)Next Topic: POST Preservation Data Security Vulnerablity (144792)

Release NotesWeb Agent Release NotesDefects Fixedr12.0.3.09 Agents for IIS with ARR in Classic Pipeline Mode not Prompting for Credentials (154054)XSS and BadCSSChars (144850)

XSS and BadCSSChars (144850)

Symptom:

XSS is not blocked if the BadCSSChars string is multiple characters and one character has multiple encodings.

Solution:

This is no longer an issue. The decoded URL is now compared against multiple character strings specified in BadCSSChars to block XSS.

STAR Issue: 20405501-1