Re: RAW=T..Strange behaviour

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 28724
interpreted = N
texte = >Is there a reason that I'm not thinking of where adding &raw=t to a url >would be necessary? The reason I ask is that by adding it to a url, it >causes the page to break at the first [include] tag (for instance, >http://store.smithmicro.com/buy/results.tpl?cart=9525619682420456&raw=T). >It's not really a security issue, just that a command like that can be used >to make a site look really bad. So if there is no good reason to allow such >a command, can it be put on the wish list to make it work only as a context?This is actually a parameter, not a command -- but realistically it should not have any effect on a page whether you add it to the URL or not, so this is a genuine BUG if you ask me. I hope you have emailed SM directly about this, because they don't seem to read these list messages consistently.By the way, I just did some more testing and it doesn't seem to matter what follows the =, whether it's T or F or even if nothing follows the =, because as long as webcat gets the name raw in between the & and = that's all it needs to destroy the page.================================ Kenneth Grome, WebDNA Consultant 808-737-6499 http://webdna.net ================================------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Associated Messages, from the most recent to the oldest:

    
  1. Re: RAW=T..Strange behaviour (Jay Van Vark 2000)
  2. Re: RAW=T..Strange behaviour (JHowarth@smithmicro.com 2000)
  3. Re: RAW=T..Strange behaviour (Kenneth Grome 2000)
  4. RAW=T..Strange behaviour (Mike Davis 2000)
>Is there a reason that I'm not thinking of where adding &raw=t to a url >would be necessary? The reason I ask is that by adding it to a url, it >causes the page to break at the first [include] tag (for instance, >http://store.smithmicro.com/buy/results.tpl?cart=9525619682420456&raw=T). >It's not really a security issue, just that a command like that can be used >to make a site look really bad. So if there is no good reason to allow such >a command, can it be put on the wish list to make it work only as a context?This is actually a parameter, not a command -- but realistically it should not have any effect on a page whether you add it to the URL or not, so this is a genuine BUG if you ask me. I hope you have emailed SM directly about this, because they don't seem to read these list messages consistently.By the way, I just did some more testing and it doesn't seem to matter what follows the =, whether it's T or F or even if nothing follows the =, because as long as webcat gets the name raw in between the & and = that's all it needs to destroy the page.================================ Kenneth Grome, WebDNA Consultant 808-737-6499 http://webdna.net ================================------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Kenneth Grome

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Carrying Forward (1998) Nesting format tags (1997) [protect admin] (1997) Help! WebCat2 bug (1997) frames & carts (1997) Multi Actions (1999) [WebDNA] [BULK] Securing WebCatalog login (2017) Snake Bites (1997) MOOOOOO (2000) [WebDNA] Format Days_To_Date (2008) Odd [math] behaviour (2003) Avoiding duplicate db entries (2002) No comment (1997) Multiple fields on 1 input (1997) RAM variables (1997) mac hack (1997) WebCat2b15MacPlugIn - [authenticate] not [protect] (1997) Re:ListFields and [name] (1997) So what ya working on? (or have you completed?) (2004) RE: Shopping Cart Questions (1998)