Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Discussions (General)
 question : filtering + from URLs

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!
Before posting, make sure you have read this topic!

Screensize:
UserName:
Password:
Format Mode:
Format: BoldItalicizedUnderlineStrikethrough Align LeftCenteredAlign Right Horizontal Rule Insert HyperlinkInsert EmailInsert Image Insert CodeInsert QuoteInsert List
   
Message:

* HTML is OFF
* Forum Code is ON
Smilies
Smile [:)] Big Smile [:D] Cool [8D] Blush [:I]
Tongue [:P] Evil [):] Wink [;)] Clown [:o)]
Black Eye [B)] Eight Ball [8] Frown [:(] Shy [8)]
Shocked [:0] Angry [:(!] Dead [xx(] Sleepy [|)]
Kisses [:X] Approve [^] Disapprove [V] Question [?]

 
   

T O P I C    R E V I E W
MarcelG Posted - 02 May 2006 : 03:30:17
Just a quick question.
The function ReplaceURLs filters some characters from URLs, like for instance the ",;,+,(,),*,',> and <.
I can imagine why you wouldn't want those characters in an URL, because of XSS attacks etc, but, I'm a bit confused about the + sign.
Is it so dangerous to allow the + to be used in an URL ?

It's giving some headaches when users want to post an URL that uses it.
If they post it as a normal URL, it works:
http://www.somewebsite.com/page.php?name=john+doe&otherparam=somethingelse
when encapsulating that same url in the URL tags, the + is removed, thus breaking the URL.
within the url tags: http://www.somewebsite.com/page.php?name=john doe&otherparam=somethingelse
within the url="" tags: testing.<
6   L A T E S T    R E P L I E S    (Newest First)
muzishun Posted - 02 May 2006 : 15:42:26
The HTML entities do work in standard html code. If you are using them within the vbScript side of code, you're correct, they don't work properly. But they do in fact work in standard links. For example, this:
Response.write "<a href=""http://search.yahoo.com/search?p=snitz&sm=Yahoo%21+Search&fr=FP-tab-web-t&toggle=1&cop=&ei=UTF-8"">Link</a>

and this:
Response.write "<a href=""http://search.yahoo.com/search?p=snitz& amp;sm=Yahoo%21+Search& amp;fr=FP-tab-web-t& amp;toggle=1& amp;cop=& amp;ei=UTF-8"">Link</a>

do the same thing (minus the spaces, of course).

However, in this case:
Response.redirect("http://search.yahoo.com/search?p=snitz& amp;sm=Yahoo%21+Search& amp;fr=FP-tab-web-t& amp;toggle=1& amp;cop=& amp;ei=UTF-8")

the & amp; entities would not work. You would have to leave them as literal "&" symbols.

This link is a page using the following code:
<html>
<body>
<%
Response.write "The link below uses standard ""&"" symbols.<br /><a href=""http://search.yahoo.com/search?p=snitz&sm=Yahoo%21+Search&fr=FP-tab-web-t&toggle=1&cop=&ei=UTF-8"">Link</a><br /><br />" & vbNewline
Response.write "The link below uses the ""&amp;"" entity reference.<br /><a href=""http://search.yahoo.com/search?p=snitz&sm=Yahoo%21+Search&fr=FP-tab-web-t&toggle=1&cop=&ei=UTF-8"">Link</a><br /><br />" & vbNewline
%>
</body>
</html>
<
AnonJr Posted - 02 May 2006 : 11:43:21
quote:
Originally posted by HuwR

& amp; does not work in a url instead of &


I thought so. I was just thinking about what muzishun posted...

quote:
Originally posted by muzishun

My guess is that it wouldn't. Since the "&" is an html reference, and the "&" needs to be a literal character in javascript, I would assume that the first function wouldn't work at all. If that's the case, rather than filter symbols out of URLs, you could convert them to their html entity reference. These work just fine when used in URLs, but will probably still prevent the javascript from being included.
<
HuwR Posted - 02 May 2006 : 11:23:59
& amp; does not work in a url instead of &<
AnonJr Posted - 02 May 2006 : 11:19:59
I don't know... I had some problems a while back with URLs that had "&amp;" instead of a literal "&" - some of the querystring values weren't getting passed right. It could have just been a fluke, but I'd do some testing first...<
muzishun Posted - 02 May 2006 : 11:01:54
Is it possible to use html entities in javascript? For example, would this:
if (x == y && y == z) {stuff here;}

Work for this:
if (x == y && y == z) {stuff here;}

My guess is that it wouldn't. Since the "&" is an html reference, and the "&" needs to be a literal character in javascript, I would assume that the first function wouldn't work at all. If that's the case, rather than filter symbols out of URLs, you could convert them to their html entity reference. These work just fine when used in URLs, but will probably still prevent the javascript from being included.

Here is a link to an entity reference list at W3Schools.<
HuwR Posted - 02 May 2006 : 03:58:11
it is to prevent people posting javascript functions in the url's if it causes you a problem then just remove the check for + from your code<

Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.05 seconds. Powered By: Snitz Forums 2000 Version 3.4.07