[Mono-dev] [PATCH] MS/Mono incompatibility in System.Web.HttpRequest
Gonzalo Paniagua Javier
gonzalo at ximian.com
Fri Mar 17 19:58:05 EST 2006
On Fri, 2006-03-10 at 09:53 -0500, Chris Toshok wrote:
> I just read in the Shackow's asp.net 2.0 security book about this,
> actually. He says that the three sequences that result in rejecting a
> string are:
>
> 1. a < followed by a !
> 2. a < followed by the letters a-z (upper or lowercase)
> 3. a & followed by a #
>
> Did your testing reveal that 3 wasn't used? I was planning to commit a
> change that does the above 3 checks today.
Btw, you also have to check for those unicode characters which
correspond to a '<' and '>'.
-Gonzalo
More information about the Mono-devel-list
mailing list