Hi,

I need to address an security issue. Could someone let me know where I can find a table listing all the two hexadecimal digits representing characters (e.g., ?, (, + )? In another word, the ASCII value (in hex) for signs and characters.

Thanks!

wty

How about this page (http://www.cdrummond.qc.ca/cegep/informat/Professeurs/Alain/files/ascii.htm)?

wty...
does these just a help®???

URL's are encoded by replacing spaces with plus signs and replacing symbols with "%" followed by their 2 digit (hex) ASCII value. The character "%" is encoded to "%25", so all "%" characters are encoded, and the "+" character is encoded to "%2B", so all "+" characters are replaced spaces. Note that "%" can be used or "%x" to get the same result (%2B = %x2B = the + character).

http://www.breakingpar.com/bkp/home.nsf/Doc!OpenNavigator&U=830B9F6BB4A899AB87256AFB0014A04A

-----------------------------------------
%3F with a question mark
http://www.ssc.com/websmith/issues/i3/ws16.html

------------------------------------
http://www1.tip.nl/~t876506/charsets.html
just a checkout® thattt page @ the bottom :O)))

Hi Benahimvp,

Thank you very much for your reply!

I try to understand "cross-site" scripting, or molicious code. Do you know any site where gives SIMPLE explaination on these terms?

Thanks again!

wty

:)

What exactly are you trying to do anyway?

Hi,

I was told that I need to prevent my code from "cross-site" scriping attack. I try to understand it first, then I can prevent it from happening.

I guess once the server side receive the data, I need to decode the data and then validate them before further processing the data. Am I right?

Thanks!

wty

This page has very detailed infos about Cross-Site-Scripting:

http://www.cert.org/tech_tips/malicious_code_mitigation.htm


A good example for Cross-Site-Scripting is stealing cookies by omitting to check user's input data. Take this forum's posting possibilities: If you were allowed to insert HTML tags, and these were not validated against an allowed-tags collection, you could post a message that contains JavaScript encapsulated within the <script> tags.
This code would be eventually carried out by your browser if scripting is activated. That can range from an annoying 123,456 x alert("Please click me") to real security problems with stealing cookie information. Since the javascript runs in a page served by the forum site, JS can access cookies stored for this site - although the script itself has been inserted by a malicious user. And because a cookie *might* contain sensible data (also privacy related data), this is considered a security issue.

The problem itself is a large area; conclusion is most often to never, never ever trust the user's input data. And of course newer to include password data as GET parameters, if you don't want it to appear in other servers logfiles.

You're still not telling me what you're really trying to do. I know you're try to stop "cross-site" attack or something, but when are you trying to use this security? When you're submitting forms?

Sorry I didn't make it clear. I have a JSP page. I will use javascript to validate input data first on the client side, then submit the form. Once the server side receive the data, decode and validate the data again.

Hi Benahimvp, justame, and mordred,

Thank you all for your replies! I learned quite a lot on this subject tonight.

Have a good night!

wty