chris_radcliff at mac.com
Fri May 14 14:39:23 CDT 2004
On May 14, 2004, at 11:28 AM, Ken Loomis wrote:
> The one thing I can't quite figure out is how the hackers are
> entering carriage returns (or, new lines) to achieve multiple lines in
> the subject.
Mark Jason Dominus once gave a talk about Web application security. His
first rule was, "Never trust the browser." It's possible to submit all
sorts of things (including %0A, a newline), and some browsers allow
anything to be entered in a text field, even if yours doesn't. :)
> I am assuming the RE above does remove those the carriage returns and
> the new lines. Is that correct?
That is. In this case, \n and \r are both matched by "characters that
aren't A-Za-z0-9. ," and therefore removed.
The posting address is: san-diego-pm-list at hfb.pm.org
List requests should be sent to: majordomo at hfb.pm.org
If you ever want to remove yourself from this mailing list,
you can send mail to <majordomo at happyfunball.pm.org> with the following
command in the body of your email message:
If you ever need to get in contact with the owner of the list,
(if you have trouble unsubscribing, or have questions about the
list itself) send email to <owner-san-diego-pm-list at happyfunball.pm.org> .
This is the general rule for most mailing lists when you need
to contact a human.
More information about the San-Diego-pm