Solved

Special Characters in Form Fields blocked by SecureIIS

Posted on 2008-06-16
3
243 Views
Last Modified: 2008-06-16
Our server uses SecureIIS for security, and it has a function where it screens all POST variables from forms for special characters.  I have several content management forms on my site that need to be able to accept en-dash and em-dash characters but SecureIIS kicks out an error whenever it receives one of these because it thinks it's malicious.  Does anyone know if there is a configuration setting in SecureIIS anywhere where I can specify "safe" characters?
0
Comment
Question by:lghaman123
  • 2
3 Comments
 
LVL 9

Accepted Solution

by:
Rurne earned 500 total points
ID: 21796851
It sounds like SecureIIS is accepting only ASCII encoding.  Under the Shellcode option, you will see high-bit shellcode protection.  Anything outside of "standard" ASCII is considered high-bit (greater than €), so basically SecureIIS gives Unicode the hatchet job.  Em dash (—) and en dash (–) are covered under UTF-8, but not under ASCII.  SecureIIS readily acknowledges that this messes up multilingual sites, but this will also affect any file uploads/binary data submitted through a form.  You should disable all High Bit Shellcode options to restore functionality.
0
 

Author Comment

by:lghaman123
ID: 21797030
Thanks for your prompt response.  Not sure if my IT guys will let me do that but we'll see.

Thanks!
0
 
LVL 9

Expert Comment

by:Rurne
ID: 21797077
It's really pretty obnoxious.  It would be great if eEye would allow you to specify a particular character set and would provide proper escaping for, say, UTF-8.  However, there are several known exploits for Unicode, which is why Unicode gets blocked by default in SecureIIS.  Unfortunately, it's an either/or situation; if you want em and en dashes, you may be opening yourself to potential exploits.

HTH
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article discusses four methods for overlaying images in a container on a web page
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question