Agent Guides › Web Agent Guide › Enforce Security with URL Monitoring › Specify Bad Form Characters

Specify Bad Form Characters

The following characters are commonly used in cross-site scripting attacks:

• Left and right brackets (< >)
• ampersand (&)
• quotation marks (")

If you want to use scripting code for presenting forms to a user during an authentication challenge, configure the Web Agent encode any of the previous characters as literal HTML before sending them to an HTML form with the following parameter:

BadFormChars

Specifies the characters that the Web Agent encodes as literal HTML characters before using them as output on a form. Only directive substitutions are encoded as raw HTML—the source lines in the form template (for example the login.fcc template) are unchanged. Keeping the source lines unchanged prevents dynamic data containing scripting code from being sent back to the browser as data in the form.

Default: Disabled (no literal encoding)

Example: <, >, &, %22

Limits:

• Only these characters are allowed: <, >, &, %22
• You can specify characters literally or enter the URL-encoded form of that character. For example, you can enter the letter a, or you can enter the encoded equivalent of %61.
• You can specify a maximum number of 4096 characters (including commas used for separating characters).
• You can specify ranges of characters separated by a hyphen. The syntax is: starting_character-ending_character. For example, you can enter a-z as a range of characters.
• Specify quotes (") with the URL-encoded equivalent of %22. Do not use ASCII.

To set the BadFormChars parameter

1. Enable the BadFormChars parameter by removing the # character in front of it.

   The BadFormChars parameter is enabled with all of the previous characters included.

2. (Optional) Remove any characters that you do not want to use from the list. Verify that the remaining characters are separated from one another with commas.