NetTalk Central

NetTalk Web Server => Web Server - Share Knowledge => Topic started by: random69 on October 23, 2007, 12:04:23 PM

Title: NOTE: Issue with NetWebServerWorker._Clean in NETWEB.CLW / 4.29
Post by: random69 on October 23, 2007, 12:04:23 PM: There's a bug in the _Clean function such that the entire string may not get cleaned correctly to prevent XSS.

IE. A string "<h1>hello</h1>bogus</div>" returns "<h1>hello</h1>bogus</div>" which obviously is not correct.

Original Code:
Code: [Select]
NetWebServerWorker._Clean PROCEDURE (String p_html) loc:Html String(NET:MaxBinData) x long y long code loc:Html = p_Html x = len(clip(loc:Html)) y = 0 loop y += 1 if y > x then break. case val(loc:html[y]) of 60 ! < orof 62 ! > orof 34 ! " orof 35 ! # orof 39 ! ' orof 59 ! ; orof 38 ! & loc:html = sub(loc:html,1,y-1) & '&#' & val(loc:html[y]) &';' & sub(loc:html,y+1,size(loc:html)-y) y += 4 End end return clip(loc:Html)
New Code - Note the insertion of x+=4 to increase the len string...

Code: [Select]
NetWebServerWorker._Clean PROCEDURE (String p_html) loc:Html String(NET:MaxBinData) x long y long code loc:Html = p_Html x = len(clip(loc:Html)) y = 0 loop y += 1 if y > x then break. case val(loc:html[y]) of 60 ! < orof 62 ! > orof 34 ! " orof 35 ! # orof 39 ! ' orof 59 ! ; orof 38 ! & loc:html = sub(loc:html,1,y-1) & '&#' & val(loc:html[y]) &';' & sub(loc:html,y+1,size(loc:html)-y) y += 4 x += 4 ! offset length since we just inserted more End end return clip(loc:Html)
I would suggest this gets fixed in a subsequent release.

HTH
Title: Re: NOTE: Issue with NetWebServerWorker._Clean in NETWEB.CLW / 4.29
Post by: Bruce on October 29, 2007, 06:21:05 AM: Hi Random,

Thanks for this. I didn't spot this in time to put it in the 4.30 pre-release, but I'll make sure it's in the 4.30 final release (or indeed in the next pre-release if there is one.)

Cheers
Bruce