Hi,
“%” sign gets scrambled as “%” when you use @getRuleMessage RUF. In this post, I am sharing how to fix the issue.
- Issue
Here is how to reproduce the error.
- Create a Message rule that takes Text parameter.
- Pass “%” sign to the Message rule by @getRuleMessage RUF. You can use Log-Message, or Page-Set-Message, or any method to print.
- “%” sign is automatically converted into “%” as below.
- Root cause
This is the side effect of encoding some of the characters in the HTTP request to avoid Cross-site Scripting (XSS) attacks. pzpega_tools_security.js does this part.
| 1 | = | = |
|---|---|---|
| 2 | < | < |
| 3 | > | > |
| 4 | " | \ |
| 5 | ’ | ’ |
| 6 | % | % |
| 7 | ; | ; |
| 8 | ( | ( |
| 9 | ) | ) |
| 10 | + | + |
| 11 | & | & |
- How to fix it
This issue will be fixed in the future release. If you are using an old version prior to the fixed release, you can still perform a local change by other two means below. Either approach is fine. The difference is, (2) approach doesn’t do cross script filtering. Cross script filtering was added to getRuleMessage because it is called in the out-of-the-box activity during log in. If you are planning to use it externally, use (1) approach as it is more secure. Also be noted that FormatMessage needs the Message rule to be @baseclass, while getRuleMessage can process Message rule of any class.
(1) Put the message into a parameter and use restoreFilteredString API to decode it.
String str = tools.getParamValue("Message");
str = com.pega.pegarules.pub.util.StringUtils.restoreFilteredString("{rcsf}"+str);
tools.getParameterPage().putParamValue( "Message", str );
(2) Use @FormatMessage instead of @getRuleMessage.
- Either of above approach prints “%” sign correctly as below.
Thanks,