For a legacy Classic ASP application, I am supposed to remove all security attack issues. Currently, DB contains data which is already encoded and there will be no more Insert/update operations. Only select operations from now on wards.
I am able to remove SQL Injection and few other security issues, but, unable to remove
Cross Site Scripting (XSS) : Poor Validation Issue
This became bottle neck for delivery of the project.
Could anybody help me on this.
Example:
My data in DB as following.
One Cell Sample Data (Korean and English Char)
1.. Rupture disc 설치 관련 필요 자재 List<BR>──────────────────────────────────────<BR> No 필요 자재 재질 비 고 <BR>──────────────────────────────────────<BR> 1 inlet isolation valve, 8" Hast C276 기존 재고 사용 <BR> 2 RD holder inlet/outlet Hast C276 / 316L 신규 구매 <BR> 3 Rupture Disc Hast C276 신규 구매 <BR> 4 SV outlet isolation valve, 10" SUS 316L 신규 구매 <BR>──────────────────────────────────────<BR><BR>2. Rupture Disc Specification<BR> 1) Rupture design press : 4kg/cm2<BR> 2) Design temperature : 100℃<BR> 3) Rupture press tolerance : ± 5%<BR> 4) Manufacturing range : + 0%, - 10%<BR> 5) Material spec : M1, M4, C31<BR> 6) Max. allowable oper press : 3.2kg/cm2 (at 100℃)<BR><BR>3. Rupture Disc spec 선정 기준<BR> . Code, Standard = API 520, ASME VIII<BR> . Required Burst Pressure = Vessel Design Pressure<BR> . Manufacturing range(+0% ∼ -10%) of Required Burst Pressure<BR> . Rupture Pressure Tolerance +5%, -5% of Stamped Burst Pressure<BR> . Specified Disc Temperature = Actual Temperature of Disc in Operation <BR> → usually lower at disc than in liquid phase of vessel <BR><BR>4. Rupture Disk 전단 및 SV2209 후단 Isolation valve는 CSO(CAR SEAL OPEN) .<BR><BR>5. Rupture Disk 후단에 PG2209를 설치하여 운전 중 Rupture disk 파손 여부 확인 가능토록 함.<BR>
I am displaying above cell data as follows:
Sample Page:
<!-- #include file="INCLUDES/HTMLDecode.inc" -->
.
.
.
<HTML>
.
.
.
sampledata = rs("sampledata")
.
.
.
<TD><%= ClearForAttack(sampledata) =%></TD>
.
.
.
</HTML>
The above functions defined as follows :
User Defined Functions:
<%
Function HTMLDecode(sText)
Dim I
sText = Replace(sText, """, Chr(34))
sText = Replace(sText, "<" , Chr(60))
sText = Replace(sText, ">" , Chr(62))
sText = Replace(sText, "&" , Chr(38))
sText = Replace(sText, " ", Chr(32))
For I = 1 to 255
sText = Replace(sText, "&#" & I & ";", Chr(I))
Next
HTMLDecode = sText
End Function
%>
<%
Function ClearForAttack(pStrValue)
if len(pStrValue)>0 then
pStrValue = HTMLDecode(Server.HTMLEncode(pStrValue))
pStrValue = replace(pStrValue,"'","")
pStrValue = replace(pStrValue,"`","")
pStrValue = replace(pStrValue,"%","")
pStrValue = replace(pStrValue,"<","<")
pStrValue = replace(pStrValue,">",">")
else
pStrValue = ""
end if
ClearForAttack = pStrValue
End Function
%>
To display already encoded data I am using both HTMLDecode and HTMLEncode Functions
Please EDIT functions or suggest me another approach.
Your help or suggestions are highly appreciated.
Thanks in advance.
As stated, simply sanitise the post/query string data all data from user input and the database alike. You can try a number of methods including Server.HTMLEncode.
If you need to extend this to cover database fields, then you're going to need to perform some kind of search and replace on < and >, replacing them with < and > respectively.
There are some problems with XSS. You may want to read this first.
The Server.HTMLEncode sanitizes the query. You need to run a validation process to satisfy the poor validation. There is a simple "blacklist" program that you can change to suit your needs. check http://blogs.iis.net/nazim/filtering-sql-injection-from-classic-asp or Validation for Form and QueryString in ASP Classic using Regex. Almost working but missing something?. Once incorporated, should remove most of poor validation.
Related
I'm using Excel and VBA to get SAP to download data from SAP through RFC using INST_EXECUTE_REPORT.
It works like a charm when I have specific input parameters. I just build up .Tables("PARA") with the screen name of the parameter and the desired value. I can even use this method for date ranges.
The challenge is when I don't know exactly the input parameters. For example, I wanted to identify all internal orders with a specific text in the description, e.g. CODE40.
Is there any way to use wildcards with INST_EXECUTE_REPORT? When the program passed into INST_EXECUTE_REPORT is executed normally as a transaction on screen, I can set the parameter to *CODE40* and SAP automatically applies a wildcard search. But I can't get that to work with VBA.
I can simulate using wildcards when accessing individual tables with BBP_RFC_READ_TABLE by using LIKE statements in the selection option, but I need a similar functionality for whole reports, not individual tables.
Can anyone help?
Best regards,
The code I'm using is as follows:
Set ObjR3_EXECUTE_REPORT = ObjR3.Add("INST_EXECUTE_REPORT")
With ObjR3_EXECUTE_REPORT
Set ObjR3_EXECUTE_REPORT_Name = .Exports("PROGRAM")
Set ObjR3_EXECUTE_REPORT_Para = .Tables("PARA")
Set ObjR3_EXECUTE_REPORT_Result = .Tables("RESULT_TAB")
Set ObjR3_EXECUTE_REPORT_Output = .Tables("OUTPUT_TAB")
End With
ObjR3_EXECUTE_REPORT_Name.Value = ReportName
'Build up the table with the fields to be selected
f = 1
For a = LBound(aParameters) To UBound(aParameters)
aParameterPair = aParameters(a)
aParameterInput = aParameterPair(UBound(aParameterPair))
sParameterName = aParameterPair(LBound(aParameterPair))
For c = LBound(aParameterInput) To UBound(aParameterInput)
sParameterInput = aParameterInput(c)
ObjR3_EXECUTE_REPORT_Para.AppendRow
ObjR3_EXECUTE_REPORT_Para(f, "PARA_NAME") = sParameterName
ObjR3_EXECUTE_REPORT_Para(f, "PARA_VALUE") = sParameterInput
Debug.Print sParameterName & " " & sParameterInput
f = f + 1
Next c
Next a
I have lots of products which have description including bullets, which I want to convert it to html form excel file.
Description of product be like in one cell :
• Our aim is to be devoted to building a sustainable future.
• We are keen to preserve the human being and its environment.
• It is best for all skin types
some macro code I have tried is like:
Sub aTest()
Dim rCell As Range, spl As Variant, i As Long
For Each rCell In Selection
spl = Split(rCell, Chr(10))
For i = LBound(spl) To UBound(spl)
spl(i) = Chr(60) & "li" & Chr(62) & spl(i) & Chr(60) & "/li" & Chr(62)
Next i
rCell = Join(spl, Chr(10))
Next rCell
Selection.ColumnWidth = 200
Selection.EntireRow.AutoFit
Selection.EntireColumn.AutoFit
End Sub
this code gives me output including bullets within it:
Expected:
<li> Our aim is to be devoted to building a sustainable future. </li>
<li> We are keen to preserve the human being and its environment.</li>
<li> It is best for all skin types</li>
Could anyone please help me get this correct, as I do not have any idea of VB.
Moreover, it would be great to have Function rather than macro.
Thanks
Update: I have this whole content within one cell and want it to convert to html together. Is that possible?
BIODERMA is a brand of NAOS, the world’s number 1 cosmetic company. BIODERMA has been dedicated to skin health for 40 years and has pioneered many breakthroughs in dermatological care. We are a company that provides high-quality skin care products developed by medical professionals with the absolute highest safety standards.
Key Features:
• Our aim is to be devoted to building a sustainable future.
• We are keen to preserve the human being and its environment.
• It is best for all skin types
Private Function ConvertBulletToHTML(argInput As String) As String
Dim cleanArr() As String
cleanArr = Split(argInput, vbLf)
Dim i As Long
For i = 0 To UBound(cleanArr)
If Instr(cleanArr(i), Chr(149)) <> 0 Then
cleanArr(i) = Replace(cleanArr(i), Chr(149), vbNullString)
cleanArr(i) = "<li>" & Trim(cleanArr(i)) & "</li>"
End If
Next i
ConvertBulletToHTML = "<div>" & Join(cleanArr, vbLf) & "</div>"
End Function
This is the output:
<div><li>Our aim is to be devoted to building a sustainable future.</li>
<li>We are keen to preserve the human being and its environment.</li>
<li>It is best for all skin types</li></div>
And output for the updated question:
<div>BIODERMA is a brand of NAOS, the world’s number 1 cosmetic company. BIODERMA has been dedicated to skin health for 40 years and has pioneered many breakthroughs in dermatological care. We are a company that provides high-quality skin care products developed by medical professionals with the absolute highest safety standards.
Key Features:
<li>Our aim is to be devoted to building a sustainable future.</li>
<li>We are keen to preserve the human being and its environment.</li>
<li>It is best for all skin types</li></div>
Remove the Trim in the for loop if you do not want it trimmed.
Note: vbLf is the same as Chr(10) so you can just use the built-in constant.
Try:
spli(i) = Replace(spli(i), Chr(149), "")
You must check if it is actually Chr(149) and change it to something else if it is not.
Other way - assuming it is the first character in your spli(i)
spli(i) = Right(spli(i), Len(spli(i)) - 1)
This must be applied before adding html tags.
So I have been using the following VBA Module code to generate QR codes in a desired cell. The code works as expected for all desired ASCII values expect '&' and '+'. If any of these characters is mid string example - Jack & Jill - only 'Jack' would be displayed, ie anything after, and including, the '&' would be cut off. Similar story with the '+'.
Thanks in advance
Function Insert_QR(codetext As String)
Dim URL As String, MyCell As Range
Set MyCell = Application.Caller
URL = "https://chart.googleapis.com/chart?chs=125x125&cht=qr&chl=" & codetext
On Error Resume Next
ActiveSheet.Pictures("My_QR_" & MyCell.Address(False, False)).Delete 'delete if there is prevoius one
On Error GoTo 0
ActiveSheet.Pictures.Insert(URL).Select
With Selection.ShapeRange(1)
.PictureFormat.CropLeft = 10
.PictureFormat.CropRight = 10
.PictureFormat.CropTop = 10
.PictureFormat.CropBottom = 10
.Name = "My_QR_" & MyCell.Address(False, False)
.Left = MyCell.Left + 25
.Top = MyCell.Top + 5
End With
Insert_QR = "" ' or some text to be displayed behind code
End Function
First thing first Google Image Charts is deprecated and can be shutdown anytime soon. There are alternatives like Image-Charts.
Regarding your issue codetext needs to be URLEncoded. If you are using Excel 2013+ you can use
URL = "https://image-charts.com/chart?chs=125x125&cht=qr&chl=" & WorksheetFunction.EncodeUrl(codetext)
Otherwise you can follow this answer that provide an URLEncode function that will also encode query params in order to generate the static QR code image.
The issue lay within the fact that the QR codes were being generated by URL. the above characters are what are known as URL restricted characters therefore cannot be repreneted in URL. therefore to represent '&' in URL == '%26'
I have a Word document where the user will input codes for standard comments, usually using an outline format like bullets 1, a, 2, and 3. The user saves and closes the Word document. Then the user can open a Comments Excel document and click on a button that will ask the user to find which Word document they want to replace the codes (column A) with the Text value (column C) in the Excel document. The code and process work great except when the value exceeds 255 characters, which will happen quite often. I've read about using the clipboard in doing this, but I wasn't sure how to implement it into my existing code. Thank you for any help. Sorry if I am not posting this correctly, new to this forum.
Sample comments in Word:
B401
B402
M317
This is my own comment
P203
Sample in Excel file (each row separated by a comma):
Column A rows- B401, B402, M317, P201, P203
Column B rows- Handrail compliance, Handrail Extensions, HVAC, Water Building, Water System
Column C rows-
Handrails shall comply with section 1014 of the 2015 International Building Code.,
Handrails shall return to a wall guard or walking surface. (See Section 1014.6 of the 2015 International Building Code.),
No HVAC drawings shown; will handle in the field.,
Where water pressure within a building exceeds 80 psi (552 kPa) static, an approved water pressure reducing valve conforming to ASSE 1003 or CSA B356 with strainer shall be installed to reduce the pressure in the building water distribution piping to 80 psi (552 kPa) static or less. Exceptions to this requirement are service lines to sill cocks and outside hydrants, and main supply risers where pressure from the mains is reduced to 80 psi (552 kPa) or less at individual fixtures. (See Section 604.8 of the 2015 International Plumbing Code.),
A water test shall be applied to the drainage system either in its entirety or in sections. If applied to the entire system, all openings in the piping shall be tightly closed, except the highest opening, and the system shall be filled with water to point of overflow. If the system is tested in sections, each opening shall be tightly plugged except the highest openings of the section under test, and each section shall be filled with water, but no section shall be tested with less than a 10-foot (3048 mm) head of water. In testing successive sections, at least the upper 10 feet (3048 mm) of the next preceding section shall be tested so that no joint or pipe in the building, except the uppermost 10 feet (3048 mm) of the system, shall have been submitted to a test of less than a 10-foot (3048 mm) head of water. The water shall be kept in the system, or in the portion under test, for at least 15 minutes before inspection starts. The system shall then be tight at all points. (See Section 312.2 of the 2015 International plumbing Code.) Plastic piping shall not be tested with air. An air test shall be made by forcing air into the system until there is a uniform gauge pressure of 5 pounds per square inch (psi) (34.5 kPa) or sufficient to balance a 10-inch (254 mm) column of mercury. This pressure shall be held for a test period of at least 15 minutes. Any adjustments to the test pressure required because of changes in ambient temperature or the seating of gaskets shall be made prior to the beginning of the test period. (See Section 312.3 of the 2015 International Plumbing Code)
Existing Excel Code that works until the 255 character limit:
Sub Replace()
With Application.FileDialog(msoFileDialogFilePicker)
.AllowMultiSelect = False
.Filters.Add "Word Files", "*.docx; *.docm", 1
.Show
fullpath = .SelectedItems.Item(1)
End With
Dim pathh As String
Dim pathhi As String
Dim oCell As Integer
Dim from_text As String, to_text As String
Dim WA As Object
pathh = fullpath
Set WA = CreateObject("Word.Application")
WA.Documents.Open (pathh)
WA.Visible = True
For oCell = 1 To 500
from_text = Sheets("Comments").Range("A" & oCell).Value
to_text = Sheets("Comments").Range("C" & oCell).Value
With WA.ActiveDocument
Set myRange = .Content
With myRange.Find
.Execute FindText:=from_text, ReplaceWith:=to_text, Replace:=1
End With
End With
Next oCell
End Sub
The fault is in the function you are using which can't accept a parameter of the size you want. So, we have to work around it a bit. Try replacing your for loop with this:
For oCell = 1 To 500
from_text = Sheets("Comments").Range("A" & oCell).Value
to_text = Sheets("Comments").Range("C" & oCell).Value
If from_text = "" Then Exit For
WA.Selection.Find.ClearFormatting
WA.Selection.Find.Replacement.ClearFormatting
With WA.Selection.Find
.Text = from_text
.Forward = True
.Wrap = 1
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
IF WA.Selection.Find.Execute Then
WA.Selection = to_text
End If
Next oCell
The goal here is just to use find to select the "from" text, and then assign that selection with the intended "to" text value. This avoids the replace function itself. Tested successfully on my end. The code more closely matches what Word generates in its macro recorder, however some VBA constants have been replaced with numeric values, so buyer beware.
Hope it helps
chk this code snippet
Please refer the below code.
rv = “Are you 56' taller ?”
If I pass 20 fields ie, until [rv = “ Are you 56' taller ? "].
It’s not working because ‘ – apostrophe is used to comment in QTP
How to handle ' ( apostrophe ) in Xpath using QTP ?
Code Snippet:
rv = Replace (rv,"'", "\'")
rv = LEFT(rv,50)
If SVAL = "Yes" Then
Set oobj = Browser("xyz").Page("abc").WebElement("xpath:=//div[contains(text(),'"& rv &"')]/../..//label[starts-with(text(),'Yes')]")
oobj.Click
oobj.Click
i = i+1
End If
I really appreciate your reply.
Try with the character code chr(39) for apostrophe as shown below:
"Are you 56" & chr(39) & " taller ?"
As others mentioned this is not because ' is a comment in vbscript (not just QTP) but because you're ending the string too early.
You use single quotes for the string to compare to in the XPath and then the apostrophe closes the string too early. You should instead use regular quotes there too so that the apostrophe doesn't end the string too early.
In order to get a double quote in a string in VBScript write it twice "Like ""this"" for example".
So your XPath should look like this:
"//div[contains(text(),""Are you 56' taller ?"")]"
Rather than this:
"//div[contains(text(),'Are you 56' taller ?')]"
Or using your example:
Browser("xyz").Page("abc").WebElement("xpath:=//div[contains(text(),"""& rv &""")]/../..//label[starts-with(text(),'Yes')]")
(Note this has been tested and works)
Use ' rather than (') so that the string can be properly processed.
Supporting evidence -> click here.
This has nothing to do with the ' being the comment character. This is normal working code:
Msgbox "'I love deadlines. I like the whooshing sound they make as they fly by.' Douglas Adams"
Your code results into an error because some characters needs to be escaped like <, >, & and your infamous '. To enter the line above correctly into an XML tag you need to do this:
htmlEscaped = "'I love deadlines. I like the whooshing sound they make as they fly by.&apos Douglas Adams"
Here you can find an overview to a set of the most common characters that needs escaping (while this is not totally true: if you are using Unicode/UTF-8 encoding, some characters will parse just fine).
Unfortunately VBScript does not have a native function that escapes HTML like the Escape function for urls. Only if you are on ASP Server, you can use Server.HtmlEncode but that is not the case with you
To generalize html escaping (treath everything as special except for the most commons) you can use a script like this:
Function HTMLEncode(ByVal sVal)
sReturn = ""
If ((TypeName(sVal)="String") And (Not IsNull(sVal)) And (sVal<>"")) Then
For i = 1 To Len(sVal)
ch = Mid(sVal, i, 1)
Set oRE = New RegExp : oRE.Pattern = "[ a-zA-Z0-9]"
If (Not oRE.Test(ch)) Then
ch = "&#" & Asc(ch) & ";"
End If
sReturn = sReturn & ch
Set oRE = Nothing
Next
End If
HTMLEncode = sReturn
End Function
It could be improved a bit (you'll notice passing objects into this function will result into an error) and made more specific: the regular expression could be matching more characters. I do also not know the performance of it, regular expressions can be slow if used incorrectly, but it proves as an example.