Choose from the alphabetic list below to learn about a method. See also Finding methods by function.

The Call, Branch, Collect, Java, Queue, and Rule operations are technically "instructions", not methods. For information on these instructions, see: BRANCH Branching to another activity CALL Calling another activity COLLECT Begin execution of a collection rule FLOW-NEW Start a flow execution JAVA Using Java in an activity step QUEUE Execute another activity asynchronously RULE Using the Rule instruction to implement a custom rule type A

Method
Activity-Clear-Status Activity-End Activity-List-Add Activity-Set-Status Apply-DataTransform Apply-Parse-Delimited Apply-Parse-Structured Apply-Parse-XML Assert-No-Invocation
C

Description
Reset the method status from the previous method. End the current activity and calling activities. Add an activity to an internal dispatch list. Set a return value. Update property values based on a data transform rule. Execute a Parse Delimited rule in an activity. Execute a Parse Structured rule in an activity. Execute a Parse XML rule in an activity. Exclude this activity from invocation counting for license compliance.

Commit ConnectdotNet

Commit all database changes in the Thread. Start a connector to a Web service based on the Microsoft .NET framework.

Connect-EJB Connect-File Connect-FTP ConnectHTTP Connect-Java Connect-JCA Connect-JMS

Start a connector to an external Enterprise JavaBean. Start a connector to write to a file. Copy a file from one location to another using File Transfer Protocol Start a connector to an external system using HTTP.

Start a connector to call an external Java class or JavaBean. Start a connector to an external system through a JCA resource adapter. Start a connector to an external system using the Java Message Service application programmer interface. Start a connector for a WebSphere MQ connection. Start a connector to invoke a Web service.

Connect-MQ ConnectSOAP Connect-Wait

EFHLM

Block (pause) for a time interval to synchronize with a child requestor.

End-Validate Exit-Activity Flow-End Flow-New History-Add History-List Link-Objects Log-Message Map-Structured

O

End compilation of referencing rules, for a custom rule type. End the current activity. End a flow execution. Start a new flow execution. Record your changes to work items or activities List instances of a class. Link objects together. Add a message to the Pega log. Parse or assemble a fixed format data structure.

Obj-Browse

Search through and select instances of a class based on tests of values of exposed columns. Delete an instance from the database, or mark it for later deletion with the Commit method Delete an instance from the database (or mark it for later deletion) using the handle. Remove embedded pages of a Code-Pega-List results page that fail to meet criteria specified in a when condition rule. Search through instances of a class and extract selected properties. Execute the retrieval and sorting operations of a list view rule, but with no formatting or HTML display. Open an instance stored in the PegaRULES database or in certain cases an external database. Open an instance using a permanent unique key. Open an instance and acquire a lock. Save page data to the database, or mark it for saving (commit) later. Reverse a previous Obj-Save or Obj-Delete method, not yet committed to the database. Set or reset tickets, interrupting the normal sequential processing of a flow. Sort the values of a property of mode Page List. Run a Validate rule on a set of properties, typically representing user input.

Obj-Delete

Obj-Delete-By-Handle

Obj-Filter

Obj-List Obj-List-View

Obj-Open

Obj-Open-by-Handle Obj-Refresh-and-Lock Obj-Save Obj-Save-Cancel

Obj-Set-Tickets

Obj-Sort Obj-Validate
P

Page-Change-Class Page-Clear-Messages

Change the class of a page. Remove page messages from the step page.

Page-Copy Page-Merge-Into Page-New Page-Remove Page-Rename Page-Set-Messages Page-Unlock Page-Validate Parse-Byte-Pos Parse-Char-Pos Parse-Fixed-Binary Parse-Packed-Decimal Privilege-Check Property-Map-DecisionTable Property-Map-DecisionTree Property-Map-Value

Copy contents of one page to another page Merge two or more pages into one page. Create a page. Delete a page from the clipboard. Rename a page or name a primary page Associate a message with a page. Release a lock held after Commit. Validates all properties on a page. Used only in Parse Structured rules. Used only in Parse Structured rules. Used only in Parse Structured rules. Used only in Parse Structured rules. Determine whether a user or requestor has a specified privilege. Evaluate a decision table rule and assign the result to a property Evaluate a decision tree rule and assign the result to a property. Set the value of a property based on a one-dimensional map value rule. Set the value of a property based on a two-dimensional map value rule. Link reference properties with non-reference properties. Delete a property from a page. Use backward chaining to obtain a value.

Property-Map-ValuePair

Property-Ref Property-Remove Property-Seek-Value

Property-Set Property-Set-Corr

Set the value of one or more specified properties Save the contents of a correspondence stream as the value of a property. Save the contents of an HTML stream as the value of a property. Associate a literal text message with a property or a step page. Save the contents of a JSP, XML, or HTML stream as the value of a property. Save the contents of an XML stream as the value of a property. Apply an edit validate rule to test user input.

Property-Set-HTML Property-Set-Messages Property-Set-Stream

Property-Set-XML Property-Validate
QR

Queue-for-Agent

Enqueue a System-Queue- derived clipboard page into the system queue for background processing. Delete an instance from a relational database. Retrieve rows from an external relational database. Open an instance from an external relational database. Save the contents of a clipboard page to a relational database. Stop processing of the requestor. Cancel any uncommitted database save operations.

RDB-Delete RDB-List RDB-Open RDB-Save Requestor-Stop Rollback

STW

Method
Show-HTML Show-Page

Description
Assemble and send an HTML page to a user's browser. Send an XML representation of a page to the browser.

Show-Property Show-Stream

Send a single property value to the browser. Apply stream processing to a JSP, HTML, correspondence, or XML Stream rule. Compile referencing rules for a custom rule type. Manipulate string buffer containing local variables.

Start-Validate StringBufferAppend StringBufferInsert StringBufferReset TaskStatus-Set Text-Infer Text-Normalize Thread-Clear Wait

Manipulate string buffer containing local variables.

Manipulate string buffer containing local variables.

Convey results of activity processing to a calling flow. Evaluate a parse infer rule. Evaluate a parse normalize rule. Clear the thread page. Pause a Thread for a specified time interval.

Best Practice 2: Filter all inputs

Filter and validate input data as thoroughly as possible, including inputs submitted from browser forms, inputs from service requests (such as email), and inputs from connector responses. Prevent invalid data from entering a work object or a work object attachment. Use the following features to validate individual values:

Strong types For Single Value, Value List and Value Group properties, select the Property Type carefully. Use Integer, Double, Decimal, DateTime, Date, TimeofDay, and TrueFalsewhen appropriate (rather than Text, Password or Identifier). Special characters that are common in JavaScript code such as quotes can never appear in a numeric, date or time value, but may legitimately appear in Text, Password, or Identifier value.

White lists Several features let you constrain a property value to one of a fixed list or pattern of values, including the property table edits (Local List, Field Values, Class Key values) on theGeneral tab in V5.5+ or the Table Edit tab in earlier releases. Restrictions Complete the Max Length field for Text, Password or Identifier fields. For example, it is difficult to fit a malicious JavaScript program into a small number of characters. Not declarative Select the Cannot be a Declarative Target check box if applicable. (This is a weak measure, but helpful; since a declarative expression could assemble a JavaScript source code.) Special properties Select the Cannot be included as an input field check box if the property is always computed from other values. (This also is a weak measure, but helpful.) Validation Identify an edit input rule and an edit validate rule when possible. Don't accept angle brackets, quotes, ampersand, or other special characters in fields unless necessary for a sound business reason For example, the standard validation rule isLetterorDigit limits values to hold only letters and digits. (On the V5.5 Property form, Max Length and validation fields appear on theAdvanced tab.)

Use map value rules, validation rules, and constraints rules to validate inputs. To test arriving email attachments or other file attachments for software viruses and malicious JavaScripts, override the extension point activity Data-WorkAttachFile.CallVirusCheck with an activity that calls your third-party virus software. Your activity can call a Java class or (in a Microsoft Windows server) a Dynamic Linked Library routine. Ensure that files uploaded from application user workstations, and text files processed by a file listener, are virus-checked. Input filtering is worthwhile even if an application has 100% coverage of output filtering for the HTML that the application sends to a browser. Applications often send output to other systems rather than to a browser that could contain a malicious JavaScript function, such as an HTML-rendered email message. Infecting another system which may belong

to another department, to a customer, or to a supplier is a security failure no less serious than infecting an application user.

Do not disable this security feature. Avoid use of the URL JSP tag in handcrafted stream rules. If you must use a URL tag, call the Safe URL JavaScript functions to obfuscate the URL query string.

Examples
Below are portions of hand-crafted stream rules that are modified to filter a value using these two PublicAPI functions in an inline Java scriptlet: Incorrect
<%tools.appendString(tools.getActiveValue()); %>

Correct
<%tools.appendString(StringUtils.crossScriptingFilter(tools.getActiveValue()));%>

or
<%tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getActiveValue())); %>

Incorrect
<%tools.appendString(tools.getSaveValue("savename)); %>

Correct
<pega:reference name=$save(savename) />

or
<%tools.appendString(StringUtils.crossScriptingFilter(tools.getSaveValue("savename))); %>

or
<%tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getSaveValue("savena me))); %>

Incorrect
<%tools.appendString(tools.getParamValue("paramname")); %>

Correct

<pega:reference name=param.paramname/>

or

<%tools.appendString(StringUtils.crossScriptingFilter(tools.getParamValue("paramname"))); %>

or
<% tools.appendString(StringUtils.reversibleCrossScriptingFilter(tools.getParamValue("paramnam e"))); %>