Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Special Characters in Form Fields blocked by SecureIIS

Posted on 2008-06-16
3
Medium Priority
?
248 Views
Last Modified: 2008-06-16
Our server uses SecureIIS for security, and it has a function where it screens all POST variables from forms for special characters.  I have several content management forms on my site that need to be able to accept en-dash and em-dash characters but SecureIIS kicks out an error whenever it receives one of these because it thinks it's malicious.  Does anyone know if there is a configuration setting in SecureIIS anywhere where I can specify "safe" characters?
0
Comment
Question by:lghaman123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 9

Accepted Solution

by:
Rurne earned 2000 total points
ID: 21796851
It sounds like SecureIIS is accepting only ASCII encoding.  Under the Shellcode option, you will see high-bit shellcode protection.  Anything outside of "standard" ASCII is considered high-bit (greater than €), so basically SecureIIS gives Unicode the hatchet job.  Em dash (—) and en dash (–) are covered under UTF-8, but not under ASCII.  SecureIIS readily acknowledges that this messes up multilingual sites, but this will also affect any file uploads/binary data submitted through a form.  You should disable all High Bit Shellcode options to restore functionality.
0
 

Author Comment

by:lghaman123
ID: 21797030
Thanks for your prompt response.  Not sure if my IT guys will let me do that but we'll see.

Thanks!
0
 
LVL 9

Expert Comment

by:Rurne
ID: 21797077
It's really pretty obnoxious.  It would be great if eEye would allow you to specify a particular character set and would provide proper escaping for, say, UTF-8.  However, there are several known exploits for Unicode, which is why Unicode gets blocked by default in SecureIIS.  Unfortunately, it's an either/or situation; if you want em and en dashes, you may be opening yourself to potential exploits.

HTH
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question