N
nutso fasst
OK, I know of bad things that can happen when form variables are displayed
without filtering for HTML tags, but how can the contents of a form variable
take control of VB script code execution and delete a variable that contains
those contents plus other text?
I have a form-processing ASP page (VB script) that emails some form
variables using a component. The gist is something like this:
' build a variable that appears on the page:
items = Request.Form("item1") & "<br>" & Request.Form("item2")
' modify it for the email message:
mailer.body = "Items: " & Replace(items,,"<br>",vbNewLine) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")
Given the above, even if the form is submitted with no data by user at IP
99.99.99.99, the email message should still be:
Items:
99.99.99.99
BUT recently, someone began submitting form data such that I received
totally blank emails - even REMOTE_ADDR was missing. I revised the VB Script
thusly:
emailbody = "Items: " & Replace(items,"<br>",vbNewLine) & vbNewLine
mailer.body = emailbody & vbNewLine & Len(emailbody) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")
Now when this person submits form data, the email DOES contain the length of
emailbody and the REMOTE_ADDR. But, in spite of having text assigned to it,
the length of emailbody is ZERO! It sure looks like something in the form
variables is doing some dirty work.
IIS 4 with (AFAIK) all patches and hotfixes. IIS logs indicate the form data
is being submitted from the local form. How can this be happening?
nf
without filtering for HTML tags, but how can the contents of a form variable
take control of VB script code execution and delete a variable that contains
those contents plus other text?
I have a form-processing ASP page (VB script) that emails some form
variables using a component. The gist is something like this:
' build a variable that appears on the page:
items = Request.Form("item1") & "<br>" & Request.Form("item2")
' modify it for the email message:
mailer.body = "Items: " & Replace(items,,"<br>",vbNewLine) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")
Given the above, even if the form is submitted with no data by user at IP
99.99.99.99, the email message should still be:
Items:
99.99.99.99
BUT recently, someone began submitting form data such that I received
totally blank emails - even REMOTE_ADDR was missing. I revised the VB Script
thusly:
emailbody = "Items: " & Replace(items,"<br>",vbNewLine) & vbNewLine
mailer.body = emailbody & vbNewLine & Len(emailbody) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")
Now when this person submits form data, the email DOES contain the length of
emailbody and the REMOTE_ADDR. But, in spite of having text assigned to it,
the length of emailbody is ZERO! It sure looks like something in the form
variables is doing some dirty work.
IIS 4 with (AFAIK) all patches and hotfixes. IIS logs indicate the form data
is being submitted from the local form. How can this be happening?
nf