Barry Treahy, Jr. suppressed wrote:
>
> Shouldn't some effort be made to 'sanitize' the URL content? With these
> examples, could not a hacker embed ITL statements, or for that matter
> even Perl, into one of those positional parameters that would then be
> evaluated into the Scratch variables?
>
[scratch somevar] will not be interpolated for Interchange tags or
evaluated as Perl source unless you specifically code something to
perform that action:
[calc] [scratch run_this_perl] [/calc]
The value of a [scratch] call will be shown on the page, so you might
want to think about sanitising any potential HTML content to avoid
cross-site scripting attacks. In this particular case, I suspect that
the only person who would be affected would be the attacker himself.
Generally, the split path contents would be used to look up a value
in a table, or to perform some action. If the value needs to be
displayed then a filter, such as 'encode_entities', will take care of
any HTML lurking in the text.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ suppressed
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/
_______________________________________________
interchange-users mailing list
suppressed
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.