Replace double quotes in Workflow architect URL

Idea created by Ziad ElMolla Employee on Jun 12, 2020
    Proposed
    Score10
    • Anil Allaparthi
    • Hrishikesh Pandey

    When trying to access the workflow architect to edit any of the workflows, some of the GET requests issued to the server contains multiple usage of double quotes (%22) ("). 

    Example:
    https://<Host_name>:<port>/aveksaWFArchitect/lists/pickLists/?_dc=1591974739613&filter=%7B%22requestedLists%22%3A%5B%22alert%22%2C%22busCal%22%2C%22cat%22%2C%22completionCode%22%2C%22defaultResourceScript%22%2C%22formAct%22%2C%22formJob%22%2C%22group%22%2C%22holCal%22%2C%22mail%22%2C%22milestone%22%2C%22prior%22%2C%22proc%22%2C%22schema%22%2C%22script%22%2C%22scriptAction%22%2C%22scriptAlertCheck%22%2C%22scriptAlertEvalDate%22%2C%22scriptAlertResolution%22%2C%22scriptCheck%22%2C%22scriptCompletionCode%22%2C%22scriptGroupEnum%22%2C%22scriptGroupResc%22%2C%22scriptJobCompletionCode%22%2C%22scriptMilestone%22%2C%22scriptNodeDelayCondition%22%2C%22scriptNodeDelayDate%22%2C%22scriptNodeSyntaxCheck%22%2C%22scriptPrior%22%2C%22scriptProcessSyntaxCheck%22%2C%22scriptRescEnum%22%2C%22scriptRescDesc%22%2C%22scriptRescSelect%22%2C%22scriptSplitCount%22%2C%22scriptTranSelect%22%2C%22scriptUserDefined%22%2C%22scriptWorkQuery%22%2C%22tranTemplate%22%2C%22webService%22%5D%7D

     

    Some web application firewalls identifies this as a cross-site scripting attack and blocks these requests as it identifies "%22" as a bad URL character.

    So as to get the workflow architect to work, "%22" has to be removed from the bad URL chars listing, which poses a higher security risk.

    It would be better to stop the usage of "%22" in the request URL.