Microsoft.AspNetCore.Mvc.Localization.LocalizedHtmlStringNew security fix, members.asp

New security fix, members.asp

Printed from: Snitz™ Forums 2000
URL: https://forum.snitz.com/forumTopic/Posts/69770?pagenum=1
Printed on: 03 November 2025, 22:21

Topic

Author : ruirib
Subject : New security fix, members.asp
Posted : 12 December 2010, 09:17
Message :

This security fix applies to all Snitz 3.4.x versions and can coexist with the previous fix, even if this one makes the previous fix redundant.
1. Around line #86, add this code:

Code:


If SearchName <> "" Then
	If Not IsValidString(SearchName) Then
		Err_Msg = "Invalid Name!"

		Response.Write	"      <table width=""100%"" border=""0"">" & vbNewLine & _
				"        <tr>" & vbNewLine & _
				"          <td><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """>" & vbNewLine & _
				"          " & getCurrentIcon(strIconFolderOpen,"","") & " <a href=""default.asp"">All Forums</a><br />" & vbNewLine & _
				"          " & getCurrentIcon(strIconBar,"","") & getCurrentIcon(strIconFolderOpenTopic,"","") & " Member Information</font></td>" & vbNewLine & _
				"        </tr>" & vbNewLine & _
				"      </table>" & vbNewLine & _
				"      <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """ color=""" & strHiLiteFontColor & """>There Was A Problem!</font></p>" & vbNewLine & _
				"      <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """ color=""" & strHiLiteFontColor & """>" & Err_Msg & "</font></p>" & vbNewLine & _
				"      <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """><a href=""JavaScript:history.go(-1)"">Back to Forum</a></font></p>" & vbNewLine & _
				"      <br />" & vbNewLine
	WriteFooter
	Response.End
	
	End If
End if

After adding the code, members.asp will look like this, near the point where the code will be added:

Code:


SearchName = trim(Request("M_NAME"))
if SearchName = "" then
	SearchName = trim(Request.Form("M_NAME"))
end If

If SearchName <> "" Then
	If Not IsValidString(SearchName) Then
		Err_Msg = "Invalid Name!"

		Response.Write	"      <table width=""100%"" border=""0"">" & vbNewLine & _
				"        <tr>" & vbNewLine & _
				"          <td><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """>" & vbNewLine & _
				"          " & getCurrentIcon(strIconFolderOpen,"","") & " <a href=""default.asp"">All Forums</a><br />" & vbNewLine & _
				"          " & getCurrentIcon(strIconBar,"","") & getCurrentIcon(strIconFolderOpenTopic,"","") & " Member Information</font></td>" & vbNewLine & _
				"        </tr>" & vbNewLine & _
				"      </table>" & vbNewLine & _
				"      <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """ color=""" & strHiLiteFontColor & """>There Was A Problem!</font></p>" & vbNewLine & _
				"      <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """ color=""" & strHiLiteFontColor & """>" & Err_Msg & "</font></p>" & vbNewLine & _
				"      <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """><a href=""JavaScript:history.go(-1)"">Back to Forum</a></font></p>" & vbNewLine & _
				"      <br />" & vbNewLine
	WriteFooter
	Response.End
	
	End If
End if


SearchNameDisplay = Server.HTMLEncode(SearchName)
SearchName = chkString(SearchName, "sqlstring")

2. Add function isValidString to the end of the file:

At line #598, add:

Code:


Function IsValidString(sValidate)
	Dim sInvalidChars
	Dim bTemp
	Dim i
	' Disallowed characters
	sInvalidChars = "!#$%^&*()=+{}[]|\.;:/?>,<@' "
	for i = 1 To Len(sInvalidChars)
		if InStr(sValidate, Mid(sInvalidChars, i, 1)) > 0 then bTemp = True
		if bTemp then Exit For
	next
	for i = 1 to Len(sValidate)
		if Asc(Mid(sValidate, i, 1)) = 160 then bTemp = True
		if bTemp then Exit For
	next

	' extra checks for double dots or double spaces
	' no two consecutive dots or spaces
	if not bTemp then
		bTemp = InStr(sValidate, "..") > 0
	end if
	if not bTemp then
		bTemp = InStr(sValidate, "  ") > 0
	end if
	if not bTemp then
		bTemp = (len(sValidate) <> len(Trim(sValidate)))
	end if 'Addition for leading and trailing spaces

	' if any of the above are true, invalid string
	IsValidString = Not bTemp
End Function

After adding the fix, the code will look like this:

Code:


Function sGetColspan(lIN, lOUT)
	if (mlev = "4" or mlev = "3") then lOut = lOut + 2
	If lOut > lIn then
		sGetColspan = lIN
	Else
		sGetColspan = lOUT
	End If
end Function

Function IsValidString(sValidate)
	Dim sInvalidChars
	Dim bTemp
	Dim i
	' Disallowed characters
	sInvalidChars = "!#$%^&*()=+{}[]|\.;:/?>,<@' "
	for i = 1 To Len(sInvalidChars)
		if InStr(sValidate, Mid(sInvalidChars, i, 1)) > 0 then bTemp = True
		if bTemp then Exit For
	next
	for i = 1 to Len(sValidate)
		if Asc(Mid(sValidate, i, 1)) = 160 then bTemp = True
		if bTemp then Exit For
	next

	' extra checks for double dots or double spaces
	' no two consecutive dots or spaces
	if not bTemp then
		bTemp = InStr(sValidate, "..") > 0
	end if
	if not bTemp then
		bTemp = InStr(sValidate, "  ") > 0
	end if
	if not bTemp then
		bTemp = (len(sValidate) <> len(Trim(sValidate)))
	end if 'Addition for leading and trailing spaces

	' if any of the above are true, invalid string
	IsValidString = Not bTemp
End Function
%>

If you need help with the fix, please post in the General Help forum.

Replies ...

Reply Author: ruirib
Replied on: 19 February 2011, 10:15
Message:

For anyone wanting to be able to search names with spaces, this line can be changed from:

Code:


sInvalidChars = "!#$%^&*()=+{}[]|\.;:/?>,<@' "

Code:


sInvalidChars = "!#$%^&*()=+{}[]|\.;:/?>,<@'"

The change is just the removal of the space character at the end of the string.