Re: RAW=T..Strange behaviour

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 28724
interpreted = N
texte = >Is there a reason that I'm not thinking of where adding &raw=t to a url >would be necessary? The reason I ask is that by adding it to a url, it >causes the page to break at the first [include] tag (for instance, >http://store.smithmicro.com/buy/results.tpl?cart=9525619682420456&raw=T). >It's not really a security issue, just that a command like that can be used >to make a site look really bad. So if there is no good reason to allow such >a command, can it be put on the wish list to make it work only as a context?This is actually a parameter, not a command -- but realistically it should not have any effect on a page whether you add it to the URL or not, so this is a genuine BUG if you ask me. I hope you have emailed SM directly about this, because they don't seem to read these list messages consistently.By the way, I just did some more testing and it doesn't seem to matter what follows the =, whether it's T or F or even if nothing follows the =, because as long as webcat gets the name raw in between the & and = that's all it needs to destroy the page.================================ Kenneth Grome, WebDNA Consultant 808-737-6499 http://webdna.net ================================------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Associated Messages, from the most recent to the oldest:

    
  1. Re: RAW=T..Strange behaviour (Jay Van Vark 2000)
  2. Re: RAW=T..Strange behaviour (JHowarth@smithmicro.com 2000)
  3. Re: RAW=T..Strange behaviour (Kenneth Grome 2000)
  4. RAW=T..Strange behaviour (Mike Davis 2000)
>Is there a reason that I'm not thinking of where adding &raw=t to a url >would be necessary? The reason I ask is that by adding it to a url, it >causes the page to break at the first [include] tag (for instance, >http://store.smithmicro.com/buy/results.tpl?cart=9525619682420456&raw=T). >It's not really a security issue, just that a command like that can be used >to make a site look really bad. So if there is no good reason to allow such >a command, can it be put on the wish list to make it work only as a context?This is actually a parameter, not a command -- but realistically it should not have any effect on a page whether you add it to the URL or not, so this is a genuine BUG if you ask me. I hope you have emailed SM directly about this, because they don't seem to read these list messages consistently.By the way, I just did some more testing and it doesn't seem to matter what follows the =, whether it's T or F or even if nothing follows the =, because as long as webcat gets the name raw in between the & and = that's all it needs to destroy the page.================================ Kenneth Grome, WebDNA Consultant 808-737-6499 http://webdna.net ================================------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Kenneth Grome

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

[CART] (1997) Secure server question (1997) How can I Add several Items into the cart at once? (1997) RePost: NAT and the CART (1999) Flag checking (2000) Include vs. lookup? (1998) Out of the woodwork (2007) WebCatalog can't find database (1997) Forms Search Questions (1997) Banners (1997) Multiple fields on 1 input (1997) Database Path (1998) BUG REPORT: Delete context ignores max parameter (1998) Order not created error (1997) emailer (1997) [WebDNA] WebDNA licenses discount from 12/23 to 12/31 (2011) My slower response (1997) taxTotal, grandTotal (1997) Been meaning to ask... (1997) Re[2]: [format] problems (2000)