[Date Prev][Date Next][Thread Prev][Thread Next][Interchange by date ][Interchange by thread ]

[ic] help pulling info from URL

Subject: [ic] help pulling info from URL
From: interchange-users@icdevgroup.org (Kevin Walsh)
Date: Fri Nov 1 15:06:01 2002
In-reply-to: <3DC2D805.3070301@MMaz.com>

Barry Treahy, Jr. [Treahy@MMaz.com] wrote:
>
> Shouldn't some effort be made to 'sanitize' the URL content?  With these 
> examples, could not a hacker embed ITL statements, or for that matter 
> even Perl, into one of those positional parameters that would then be 
> evaluated into the Scratch variables?
> 
[scratch somevar] will not be interpolated for Interchange tags or
evaluated as Perl source unless you specifically code something to
perform that action:

    [calc] [scratch run_this_perl] [/calc]

The value of a [scratch] call will be shown on the page, so you might
want to think about sanitising any potential HTML content to avoid
cross-site scripting attacks.  In this particular case, I suspect that
the only person who would be affected would be the attacker himself.

Generally, the split path contents would be used to look up a value
in a table, or to perform some action.  If the value needs to be
displayed then a filter, such as 'encode_entities', will take care of
any HTML lurking in the text.

-- 
   _/   _/  _/_/_/_/  _/    _/  _/_/_/  _/    _/
  _/_/_/   _/_/      _/    _/    _/    _/_/  _/   K e v i n   W a l s h
 _/ _/    _/          _/ _/     _/    _/  _/_/    kevin@cursor.biz
_/   _/  _/_/_/_/      _/    _/_/_/  _/    _/

References:
- [ic] help pulling info from URL
  - From: interchange-users@icdevgroup.org (Barry Treahy, Jr.)

Prev by Date: [ic] help pulling info from URL
Next by Date: [ic] Search box not returning all matches
Previous by thread: [ic] help pulling info from URL
Next by thread: [ic] Template files like icdevgroup.org site itself
Index(es):
- Date
- Thread