On Wed, 24 Nov 2010 16:50:26 -0500, John McKown wrote:
>In a UNIX based system, a badly coded system could be subject to an
>injection attack if a $ is not properly escaped. You could possibly
>reference an environment variable.
>
Which is the reason that HTML, etc. define character entities:
http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
(which happen to include euro and yen (yuan), but not dollar). And
the customary encoding employs '&' and ';'. So if the authors need
to embed commands in a HTML document, they should employ lead-out
sequences with characters which can be encoded when they otherwise
appear, avoiding '&' and ';' and (e.g.) '$'. Since code points
128 to 255 are used in the increasingly pervasive UTF-8, it's a
good idea to avoid these in embedded commands.
After referring earlier to xkcd/327, I searched the archives but
failed to find it. It was likely in TSO-REXX, in the perennial
INTERPRET thread. Same need for prudence.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
