Messages
Reply
Edit
Delete05:31 pm
3PJ11KLCP
| From: | Ron Wilson |
| To: | Mike McDonald |
In you example what is returned in the URL to the requesting client?
Thanks,
Ron
Ron -
The standard error message is echoing the URL back to the browser, and this needs to be HTML encoded so that the javascript is rendered as text instead of sent over as javascript. A change for this has been implemented in the Web Connection framework a long time ago, but for your older version, you will want to add the EncodeHTML() call.
I believe the spot you are looking for is in your main Process() function, where the CASE statement gets to the point of finding no way to handle the request. In your version, it likely sends back the 'lcParameter' (the URL) untouched, but that should be encoded as shown below..
OTHERWISE*** Error - No handler available. Create custom Response=CREATE([WWC_RESPONSESTRING]) Response.StandardPage("Unhandled Request",;"The server is not setup to handle this type of Request: "+ EncodeHtml(lcParameter))
- Mike McDonald
Software Design of Kentucky
It appears that the default behavior of the response.standardpage is to return the URL from the original request. I do a redirect on the standardpage method but the request URL is what is sent back on the response. I think I may have to build out a full return page and alter the response URL with that. Was just trying to step on the response URL and use the standardpage as it is convenient and quick for an error message.
Thanks,
Ron
Hey Ron,
Can you tell how the code snippet is getting returned back to the client? For example, do you include the URL that was called origionally as part of the error message returned?
Marty
Hi Rick,
I have been a log time customer, I have an application that I wrote in 2005 that is still running today, Thank you for the Great Product.
Recently my customer has put my application under a security review. They spent two weeks pounding on it with some pretty powerful tools. They are a fortune 100 company.
A strong testament to your product and I guess my implementation of it, is that they only found 1 issue.
The issue is that if the URL gets hi-jacked after leaving their server and before reaching my server and java script is added to the url I return that javascript in my response to the user.
There are four parameters in the URL, the JavaScript causes an error in my application and I return an Error page in the result with the response.standardpage method.
The issue is I am returning the JavaScript back to the end user from my response. Currently I am using the response.redirect method to exit the request in the event that it contains JavaScript.
How can I replace the URL when I push a response with a URL that i have parsed any code based characters like <>();[]|.
An example would be:
The security review escalate two team members. It was interesting to watch all that they tried. No confidential information was acquired in all of the testing. Due to the size limitations of the URL and the required parameters of the application the amount of JavaScript that the URL could contain is very limited. But they found this to be a High risk flaw.
I am using version 4.6, I know I need to upgrade, It has worked flawlessly!
Any help you could be to resolve this issue would be greatly appreciated.
Thanks,
Ron