Input filtering

[Gordon Holfelder]

Hello-

Are there extensions to the p_web.GetValue() method that would add character filtering and/or length filtering?

Background:
We're building an interface between Salesforce and our web application. As part of their security review of the interface, they also (we didn't ask) did a review of our web application. Interesting findings, but one was Cross Site Scripting problem. Here they suggested adding a whitelist of characters that each field would be validated against.

In reviewing the finding, I don't think that the problem was actually caused by our server, but from APEX code (Salesforce dev environment), but I want to check in case I needed to this as well.

Currently I have "Parse" methods that take GetValue returns and convert them into clarion values. So far I have: ParseBoolean (converts on/off,true/false,1/0), ParseDate(deformat), ParseAmount(strip commas and non-numeric characters) and ParseText(to handle new-lines) to handle values. String values I haven't touched, but could another method.

If you have these corresponding methods, i would use them instead...

Thanks,
Gordon

[Bruce]

Hi Gordon,

I don't have specific methods to parse as you are, but the StringTheory "keepChars" method is probably something you could use.
http://www.capesoft.com/docs/StringTheory/StringTheory.htm#KeepChars

So, for example, your "parseBoolean" could do a KeepChars('onftrueals') but I'm not sure that would make that routine any "safer".
For plain text you could do a RemoveChars on say (';') which would pretty much eliminate most fancy encoding etc.

>> As part of their security review of the interface, they also (we didn't ask) did a review of our web application.

We've subscribed to a program to do this as well, so if you (or anyone) needs an app tested then let me know.

Cheers
Bruce