Android SMS app ignores a trailing “?” when the URL containing a trailing “?” is clicked

I send an SMS saying "Click on https://www.example.com/?"

When I receive this SMS on an Android phone, only the https://www.example.com is clickable. The "?" is visible in the SMS, but is not part of the clickable URL.

Is there some way to escape the ? or do some other workaround so that click on the link goes to https://www.example.com/?

EDIT: Forget Android - even on this page on stackoverflow - the "?" is not part of the clickable link

3 Answers

Answers 1

Can you replace the question mark (?) by %3F

www.example.com/%3F

See:

https://www.w3schools.com/tags/ref_urlencode.asp

Answers 2

This appears to be correct behaviour (as far as I have observed on other systems) - an empty query string (effectively a dangling question mark) is not necessarily part of the URL so appears as punctuation.

As a workaround my suggestion is to ensure you always provide a parameter:

https://www.example.com/?a=a 

Ideally you can find something that makes the link enticing to the user (rather than only confusing):

https://www.example.com/?vip=yes 

Because these are not query parameters you are actually using, they should not affect your page processing

Answers 3

Hi you can send by converting to short url by https://goo.gl/ and you can get same as expected .

Read More

Storing malicious code in a database - is escape-on-output always the correct approach?

Just want to understand the thinking here and arrive at a correct and accepted approach to this issue. For context this is in a web environment and we are talking about escaping on input to the database.

I understand many of the reasons behind not escaping on input when taking user input and storing it into a database. You might want to use that input in a variety of different ways (as JSON, as SMS etc) and you also might want to show that input to the user in its original form.

Before putting anything into the database we make sure there is no SQL injection attacks to protect the database.

However following the principals set out here and here, they suggest the approach of saving user input as is. This user input might not be an SQL injection attack, but it could be other malicious code. In these cases is it OK to store Javascript based XSS attacks into the database?

I just want to know if my assumptions here are correct, are we all fine with storing malicious code in the database so long as that malicious code doesn't directly affect the database? Is it a case of it not being the database's problem, it can hold this malicious code and its up to the output device to avoid the pitfalls of the malicious code?

Or should we be doing more escaping on input than suggested by these principals - does the security concerns come before the idea of escaping on output? Should we take the approach that no malicious code enters the database? Why would we want to store malicious code anyway?

What is the correct approach for saving malicious code into a database in the context of a web client/server environment?

[For the purposes of this I am ignoring any sites that specifically allow code to be shared on them, I am thinking of "normal" inputs such as Name, Comment and Description fields.]

1 Answers

Answers 1

Definition: I use the term "sanitize" instead of filter or escape, because there's a third option: rejecting invalid input. For example, returning an error to the user saying "character ‽ may not be used in a title" prevents ever having to store it at all.

saving user input as is

The security principle of "defense in depth" suggests that you should sanitize any potential malicious input as early and often as possible. Whitelist only the values and strings useful to your application. But even if you do, you'll have to encode/escape these values too.

Why would we want to store malicious code anyway?

There are times where accuracy is more important than paranoia. For example: user feedback may need to include potentially disruptive code. I could imagine writing user feedback that says, "Every time I use type %00 as part of a wiki title the application crashes." Even if wiki titles don't need the %00 characters, the comment should still transmit them accurately. Failing to allow this in comments prevents operators from learning about a serious issue. See: Null Byte Injection

up to the output device to avoid the pitfalls of the malicious code

If you need to store arbitrary data, the correct approach is to escape as you switch to any other encoding type. Note that you must decode (unescape) and then encode (escape); there is no such thing as non-encoded data - even binary is at least Big-Endian or Small-Endian. Most folks use the language's built in strings as the 'most decoded' format, but even that can get wonky when considering Unicode vs ASCII. User input in web applications will be URLEncoded, HTTP Encoded, or encoded according to the "Content-Type" header. See: http://www.ietf.org/rfc/rfc2616.txt

Most systems now do this for you as part of templating or parameterized queries. For example, a parameterized query function like Query("INSERT INTO table VALUES (?)", name) would prevent the need to escape single quotes or anything else in the name. If you don't have a convenience like this, it helps to create objects that track data per encoding type, such as HTMLString with a constructor like NewHTMLString(string) and Decode() function.

Should we take the approach that no malicious code enters the database?

Because the database cannot determine all future possible encodings, it is impossible to sanitize against all potential injections. For example, SQL and HTML may not care about backticks, but JavaScript and bash do.

Read More

Is .textContent completely secure?

I'm doing element.textContent = unescapedData to put unescaped user input on a website. Is there any way for an attacker to do something bad using this?

Also, is there any way for an attacker to affect the page outside of element (meaning outside the 30rem by 3rem box) if it has the following css?

max-width: 30rem; max-height: 3rem; overflow: hidden; 

I've thought about using weird or invalid Unicode characters, but couldn't find any information on how to accomplish this.

2 Answers

Answers 1

Plain text set at .textContent is not executable outside of script element where .type is set to text/javascript.

Would suggest using pattern attribute with appropriate RegEx at input element within form to address potential concerns.

Answers 2

The relevant spec seems to be at https://dom.spec.whatwg.org/#dom-node-textcontent. Assuming element is an Element or DocumentFragment, a Text node is created and its data is set to the string unescapedData. And this Is a DOM Text Node guaranteed to not be interpreted as HTML? seems pretty definitive that a browser won't render a Text node as anything but text. I haven't tracked that down in the spec yet.

So, unless the browser is defective, the answers are "no" and "no".

Read More

Ruby on Rails: Allow less than sign '<' inside code block with sanitize helper

I'm trying to escape user generated content in Rails. I have used raw with sanitize and raw helpers to filter content like this:

raw(sanitize(code, :tags =>   ['<', 'h2','h3','p','br','ul','ol','li','code','pre','a'] )) 

The list of tags mentioned are allowed in the content.

The problem is when I try to test it with a sql query like this:

mysql -u sat -p -h localhost database <  data.sql 

inside pre and code blocks it removes everything after the less than (<) sign.

Please help me figure out a way to do this.

4 Answers

Answers 1

I don't believe this is possible using the default sanitize method within Rails.

Instead try using the Sanitize gem (https://github.com/rgrove/sanitize)

require 'sanitize'  allowed_elements = ['h2','h3','p','br','ul','ol','li','code','pre','a'] code             = "<pre>mysql -u sat -p -h localhost database < data.sql</pre>"  Sanitize.fragment(code, elements: allowed_elements) # => <pre>mysql -u sat -p -h localhost database &lt; data.sql</pre> 

To use this to save sanitized content to the database add a before_save filter to you model that runs sanitize on the user generated content and stores the result, e.g.

class MyModel < ActiveRecord::Base    ALLOWED_ELEMENTS = ['h2','h3','p','br','ul','ol','li','code','pre','a']    before_save :sanitize_code    private    def sanitize_code     self.code = Sanitize.fragment(code, elements: ALLOWED_ELEMENTS)   end end 

When you output the content you just need to use the raw view helper e.g.

<%= raw @instance.code %> 

Answers 2

This might help, sanitizer has options to provide white list of tags and attributes needs to ignored during sanitization

ActionView::Base.full_sanitizer.sanitize(html_string) #Basic Syntax 

White list of tags and attributes can be specified as bellow

ActionView::Base.full_sanitizer.sanitize(html_string, :tags => %w(img br p), :attributes => %w(src style)) 

Above statement allows tags: img, br and p and attributes : src and style.

Answers 3

Rails 3 added the html_safe property for every String instance. Every string that is printed or inserted to the database will be escaped unless html_safe is set to true (simplified). What raw does, is actually set html_safe to true. So you should only pass a string that is already safe/escaped.

A possible solution could look something like this:

strip_tags(code).html_safe

You might have to add additional checks / string replacements depending on your use case.

According to your comment, you probably need a little more complex version. You could try to replace all chars that you would like to allow, sanitize the string, and then reverse the replacement in order to avoid that the sanitize method sanitizes more than you actually want. Try something like this:

code = "mysql -u sat -p -h localhost database < data.sql"  ALLOWED_SIGNS = {   :lower_than => "<".html_safe }  s = code.dup ALLOWED_SIGNS.each { |k, v| s.sub!(v, "%{#{k}}") } sanitize(s) % ALLOWED_SIGNS 

Answers 4

It seems like the whole issue was with the way data being stored in the database. Previously, a less than sign '<' was being saved as it is but now it is being escaped so a '<' would be saved as < which seems to have solved the problem.

I was able to understand that accidentally while using tinymce-rails WYSIWYG editor which was escaping the '<' automatically.

@kieran-johnson's answer might have done the same but tinymce-rails solved it without installing an extra gem.

Thank you all of you who took out time to help.

Read More

mysqldump, avoid escape double quotes

When I have a field with double quotes, mysqldump put the escape character before. For example:

'My "test"' -> mysqldump generates a file with that field like 'My \"test\"'

The problem is that I'm using that file to import some data into a sqlite database, and SQLite doesn't remove the escape character. So I don't need that mysqldump writes escape characters, can I do that?

3 Answers

Answers 1

I am unsure what language you are using. But the concept would be the same in any programming language.

First declare a variable equal to your sqldump.

var yourVariable = sqldump; 

Then do a string.replace("\\", ""). Then use that 'cleaned' version to import your data with.

Answers 2

Which SQL mode do you use? Look at the mysqldump manual: http://dev.mysql.com/doc/refman/5.7/en/mysqldump.html

--quote-names, -Q

Quote identifiers (such as database, table, and column names) within “`” characters. If the ANSI_QUOTES SQL mode is enabled, identifiers are quoted within “"” characters. This option is enabled by default. It can be disabled with --skip-quote-names, but this option should be given after any option such as --compatible that may enable --quote-names.

--quote-names is enabled by default.

ANSI_QUOTES

Treat “"” as an identifier quote character (like the “`” quote character) and not as a string quote character. You can still use “`” to quote identifiers with this mode enabled. With ANSI_QUOTES enabled, you cannot use double quotation marks to quote literal strings, because it is interpreted as an identifier.

Answers 3

From a google search I found this which is reworking the output of mysqldump so sqlite can use it. Not tested and 5 years old but I think:

• you may find useful information
• it may mean other people didn't find a more elegant solution

EDIT:

As per the comments, to answer your question it looks like you don't have a choice but replace \" into ".

Here is a repo with a script which translates mysqldump files into something sqlite can digest. In particular, for your question, you can find this line:

gsub( /\\"/, "\"" ) 

Read More