No ratings

Code Fix: Security improvement form and view parameters values.


Code Fix: Security improvement form and view parameters values.


Issue Description

After installing K2 5.3 FP 6, form and view parameters values were URL decoded twice. This caused functional issues depending on the form or views designed with parameters and impacted security. In workflows the user tasks did not correctly URL encode the worklist item URL’s parameters if the parameter value contained special characters such as &, / and ?. Certain special characters like % and £ were also incorrectly double URL encoded.


The fix is available in the following K2 versions:

K2 4.7 March 2018 Cumulative Update K2 Five (5.0) September 2018 Cumulative Update K2 Five (5.1) November 2018 Cumulative Update K2 Five (5.2) May 2019 Cumulative Update K2 Five (5.3)
X X X X Fix Pack 28
    1. Ensure you have the correct K2 version and/or Cumulative Update installed. See KB001893 to see what Fix Pack level you have installed.
    2. Download the latest Fix Pack using the links in the table above for the version you require.
    3. Install the Fix Pack to apply the fix.
    4. It is recommended to refresh the browser cache.


K2 5.3 Fix Pack 6 contained a fix described in, note that after installing Fix Pack 28 your running instances containing the Pound symbol will no longer be decoded correctly. To workaround this issue start a new instance of the workflow to obtain the correct decoding, or contact support for a script that updates all running instances in the K2 Database.


Labels: (1)
Version history
Last update:
‎05-19-2021 10:50 PM
Updated by: