Hi, I have a form (“Form1”) with two computed for display fields, “Query_String” and “Field1”.
Query_String’s default value is:
“Hello World”
and Field1’s default value is:
Query_String
(You can see what i’m trying to do here – i’m trying to override the value of the reserved field, Query_String.) So, when I open this form in a browser, with this URL:
We’re running a custom CMS and a billion and one things reference Query_String. Turns out we’re vulnerable to XSS attacks (“”), and I have to filter the Query_String value before it gets referenced.
In the billion and one places it gets used.
So, the cleanest thing I wanted to do was just to have a field called Query_String, and give it the value Query_String_Decoded OR @ReplaceSubstring(Query_String; …). Turns out, I can’t override Query_String.
Is my solution to spend days on end trying to find every reference to Query_String in every form/agent/library in the CMS?
“You should be using Query_String_Decoded instead of Query_String.” Tell that to the guy who originally built this thing.
Thanks again Andre, you’ve countlessly got me out of numerous pickles in the past.
Please buy TeamStudio and bring their tools in-house so we can ALL enjoy them. Your inability to let me do an easy DB-wide find&replace makes me vomit. I pray one day God grants me the ability to punch a corporation in the face over TCP/IP.
I had to find&replace every reference to Query_String with Query_String_Filtered. Depending on your Query_String-needs, you might need to change the computed value of Query_String_Filtered.
Also, I had to do this with PATH_INFO, ie. PATH_INFO_Filtered.
so uppercase characters and the word “script” are never valid data? I would’ve thought removing the < characters would be enough to “de-fang” the value.