|
|
|
The bracket, ampersand, and quotation characters, <, >, &, " are commonly used in cross-site scripting attacks. The BadFormChars parameter specifies which of these characters the Web Agent should encode as literal HTML characters before outputting them to an HTML form. The encoding allows the intentional use of scripting code for presenting forms for an authentication challenge.
There are only four valid characters for this setting, which are all set by default: <, >, &, ". Adding characters other than these four has no effect.
Note: The quotation mark (") must be entered as %22, the hexidecimal equivalent of the ASCII character.
If your application uses custom forms and you want these characters to remain unencoded in raw HTML, leave the BadFormsChars parameter blank or set it as follows:
|
Parameter Setting |
Result |
|---|---|
|
BadFormsChars="" |
No characters are encoded |
|
BadFormsChars="<,>,%22,&"
|
All four characters are encoded < is encoded as < > is encoded as > & is encoded as & " (%22) is encoded as " |
|
BadFormsChars="<,>" |
Only < and > characters are encoded |
|
BadFormsChars="%22" |
Only the quotation mark (") is encoded |
Note: There are no spaces between the opening and closing quotes and the value the quotes enclose.
Only directive substitutions are encoded as raw HTML—the source lines in the form template, such as login.fcc are unchanged. Keeping the source lines unchanged prevents dynamic data containing scripting code from being sent back to the browser as data in the form.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |