CodingForums.com - View Single Post

sbhmf · 01-09-2013, 07:59 PM

I've not seen this before, and though my brief 3-hour search on curl is terribly insufficient I have not seen anything that that threatens the integrity of the server, db or client in my specific scenario (as defined in my opening post in the details section). [Note that I believe that the server and db are not vulnerable because the server never deserializes the xml tag, it only drops it as a blob/clob into the db via sproc, and hence it will never execute. MY concern is about what happens when the xml stream is desrialized on the client.] Please elaborate and if possible point me to a resource where such an attack is clearly explained, so that I may adequately prepare for it. Thanks.

On another note, my question also addressed performance. Specifically, if I were do define an HTML encoding function then there are many ways to do it, and I prefer to rely as much as possible on native js functions because they run on binary which is much more efficient. Please compare the following two options, neither of which will outperform a replacement done in binary, and offer any comments on options for enhanced performance using client-side js:

/*reads the string 3 times:*/
function encodeHtml(Value){
return Value.replace('<', "<').replace('>', ">').replace('"', "&quote;');
}

/*reads the string once:*/
function encodeHtmlInput(Value){
var tmp='';
for(var i=0; i<Value.length; i++)
tmp+= Value[i]=='<'?'<':Value[i]=='>'?'>':Value[i]=='"'?'&quote;':Value[i];
return tmp;
}

01-09-2013, 07:59 PM	PM User \| #5
sbhmf New Coder Join Date: Jan 2013 Location: Sunnyvale, CA Posts: 40 Thanks: 3 Thanked 1 Time in 1 Post	I've not seen this before, and though my brief 3-hour search on curl is terribly insufficient I have not seen anything that that threatens the integrity of the server, db or client in my specific scenario (as defined in my opening post in the details section). [Note that I believe that the server and db are not vulnerable because the server never deserializes the xml tag, it only drops it as a blob/clob into the db via sproc, and hence it will never execute. MY concern is about what happens when the xml stream is desrialized on the client.] Please elaborate and if possible point me to a resource where such an attack is clearly explained, so that I may adequately prepare for it. Thanks. On another note, my question also addressed performance. Specifically, if I were do define an HTML encoding function then there are many ways to do it, and I prefer to rely as much as possible on native js functions because they run on binary which is much more efficient. Please compare the following two options, neither of which will outperform a replacement done in binary, and offer any comments on options for enhanced performance using client-side js: /reads the string 3 times:/ function encodeHtml(Value){ return Value.replace('<', "<').replace('>', ">').replace('"', "&quote;'); } /reads the string once:/ function encodeHtmlInput(Value){ var tmp=''; for(var i=0; i<Value.length; i++) tmp+= Value[i]=='<'?'<':Value[i]=='>'?'>':Value[i]=='"'?'&quote;':Value[i]; return tmp; } Last edited by sbhmf; 01-09-2013 at 09:06 PM.. Reason: fixed typo