Chris Radcliff chris_radcliff at
Fri May 14 14:39:23 CDT 2004

On May 14, 2004, at 11:28 AM, Ken Loomis wrote:
>  The one thing I can't quite figure out is how the hackers are 
> entering carriage returns (or, new lines) to achieve multiple lines in 
> the subject.

Mark Jason Dominus once gave a talk about Web application security. His 
first rule was, "Never trust the browser."  It's possible to submit all 
sorts of things (including %0A, a newline), and some browsers allow 
anything to be entered in a text field, even if yours doesn't. :)

>  I am assuming the RE above does remove those the carriage returns and 
> the new lines. Is that correct?

That is.  In this case, \n and \r are both matched by "characters that 
aren't A-Za-z0-9. ," and therefore removed.




The posting address is: san-diego-pm-list at

List requests should be sent to: majordomo at

If you ever want to remove yourself from this mailing list,
you can send mail to <majordomo at> with the following
command in the body of your email message:

    unsubscribe san-diego-pm-list

If you ever need to get in contact with the owner of the list,
(if you have trouble unsubscribing, or have questions about the
list itself) send email to <owner-san-diego-pm-list at> .
This is the general rule for most mailing lists when you need
to contact a human.

More information about the San-Diego-pm mailing list