[ic] help pulling info from URL
Kevin Walsh
interchange-users@icdevgroup.org
Fri Nov 1 15:06:01 2002
Barry Treahy, Jr. [Treahy@MMaz.com] wrote:
>
> Shouldn't some effort be made to 'sanitize' the URL content? With these
> examples, could not a hacker embed ITL statements, or for that matter
> even Perl, into one of those positional parameters that would then be
> evaluated into the Scratch variables?
>
[scratch somevar] will not be interpolated for Interchange tags or
evaluated as Perl source unless you specifically code something to
perform that action:
[calc] [scratch run_this_perl] [/calc]
The value of a [scratch] call will be shown on the page, so you might
want to think about sanitising any potential HTML content to avoid
cross-site scripting attacks. In this particular case, I suspect that
the only person who would be affected would be the attacker himself.
Generally, the split path contents would be used to look up a value
in a table, or to perform some action. If the value needs to be
displayed then a filter, such as 'encode_entities', will take care of
any HTML lurking in the text.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin@cursor.biz
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/