We have noticed a Web Agent was not properly applying the BadCSSChars ACO parameter to override the default character set for CSS files, and we weren't seeing any error or warning in the logs. After checking the current ACO settings, we noticed we have introduced a single quote character by mistake:
badcsschars='<,>,%22
Why is this happening? How could we add a single quote if we need it?
By default, the BadCSSChar ACO parameter supports <,>,' set of characters, and this parameter does not interpret the single quotation mark (') if it is entered as an ASCII character.
To include the single quotation mark as a bad cross-site scripting character, enter the hexadecimal equivalent of the ASCII character, which is %27.
Help to prevent attacks - BadCSSChar ACO parameter
KD: TEC1958813