NetTalk Central

Author Topic: Input filtering  (Read 2759 times)

Gordon Holfelder

  • Jr. Member
  • **
  • Posts: 92
    • View Profile
    • Email
Input filtering
« on: May 07, 2014, 08:46:16 AM »
Hello-

Are there extensions to the p_web.GetValue() method that would add character filtering and/or length filtering?

Background:
We're building an interface between Salesforce and our web application. As part of their security review of the interface, they also (we didn't ask) did a review of our web application. Interesting findings, but one was Cross Site Scripting problem. Here they suggested adding a whitelist of characters that each field would be validated against.

In reviewing the finding, I don't think that the problem was actually caused by our server, but from APEX code (Salesforce dev environment), but I want to check in case I needed to this as well.

Currently I have "Parse" methods that take GetValue returns and convert them into clarion values. So far I have: ParseBoolean (converts on/off,true/false,1/0), ParseDate(deformat), ParseAmount(strip commas and non-numeric characters) and ParseText(to handle new-lines) to handle values. String values I haven't touched, but could another method.

If you have these corresponding methods, i would use them instead...

Thanks,
Gordon
« Last Edit: May 07, 2014, 09:55:09 AM by Gordon Holfelder »

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Input filtering
« Reply #1 on: May 07, 2014, 09:29:42 PM »
Hi Gordon,

I don't have specific methods to parse as you are, but the StringTheory "keepChars" method is probably something you could use.
http://www.capesoft.com/docs/StringTheory/StringTheory.htm#KeepChars

So, for example, your "parseBoolean" could do a KeepChars('onftrueals') but I'm not sure that would make that routine any "safer".
For plain text you could do a RemoveChars on say (';') which would pretty much eliminate most fancy encoding etc.

>> As part of their security review of the interface, they also (we didn't ask) did a review of our web application.

We've subscribed to a program to do this as well, so if you (or anyone) needs an app tested then let me know.

Cheers
Bruce