No Escape



  • I assumed the conversation must have gone something like this:

    Good dev from across the room: "You must escape the ampersands"

    Blithering fool: "HURR DURR OKAY DURR"

    Result:

    pageObject.id +"&type=5" 



  • Perfectly valid invalid string escaping.



  • Would that even compile?



  • @MiffTheFox said:

    Would that even compile?

    Every interpreted language I've tried would in this case just ignore the backslash, IIRC. Not sure about C(++) or Java, but should be fine for every interpreted language I've tried.



  • @derula said:

    @MiffTheFox said:

    Would that even compile?

    Every interpreted language I've tried would in this case just ignore the backslash, IIRC. Not sure about C(++) or Java, but should be fine for every interpreted language I've tried.


    Nope for Java: "Illegal escape character". Just as well, I guess.



  • @dhromed said:

    "You must escape the ampersands"
    "The sands of Amper river have magically come alive and they are coming for you!

    Do you have what it takes to escape them?"

    (Btw, there's this, but I'm not convinced.)



  • @Daid said:

    Perfectly valid invalid string escaping.
     

    [url=http://www.haskell.org/onlinereport/haskell2010/haskellch2.html#x7-200002.6]Perfectly valid, but utterly pointless string escaping in Haskell:[/url]

    @Haskell report said:

    Consistent with the “maximal munch” rule, numeric escape characters in strings consist of all consecutive digits and
    may be of arbitrary length. Similarly, the one ambiguous ASCII escape code, "\SOH", is parsed as a string of length

    1. The escape character & is provided as a “null character” to allow strings such as "\137&9" and "\SO&H" to
      be constructed (both of length two). Thus "&" is equivalent to "" and the character '&' is disallowed.



  • Valid-ish in LaTeX but probably needs to be &{}type



  • Shouldn't that be:



    pageObject.id +"&amp;amp;amp;<..>amp;amp;amp;amp;amp;amp;amp;amp;amp<STACK OVERFLOW>type5"



  • @derula said:

    @MiffTheFox said:

    Would that even compile?

    Every interpreted language I've tried would in this case just ignore the backslash, IIRC. Not sure about C(++) or Java, but should be fine for every interpreted language I've tried.

     

    Correct.

     



  • @dhromed said:

    @derula said:

    @MiffTheFox said:

    Would that even compile?

    Every interpreted language I've tried would in this case just ignore the backslash, IIRC. Not sure about C(++) or Java, but should be fine for every interpreted language I've tried.

     

    Correct.

     

    PHP would leave the backslash as a literal backslash, even in double-quoted strings. Thus this is true: (('\&' === '&amp;') && ("\&" === "&amp;") && ('&amp;' === "&amp;"))



  • @derula said:

    Every interpreted language I've tried would in this case just ignore the backslash, IIRC. Not sure about C(++) or Java, but should be fine for every interpreted language I've tried.
    Correct, at least for values of "every interpreted language" equal to "Perl":

    @man perlre said:

    Backslashed metacharacters in Perl are alphanumeric, such as "\b", "\w", "\n".  Unlike some other regular expression languages, there are no backslashed symbols that aren't alphanumeric.  So anything that looks like \, (, ), &lt;, &gt;, {, or } is always interpreted as a literal character, not a metacharacter.

     

     

     



  • @dhromed said:

    I assumed the conversation must have gone something like this:

    Good dev from across the room: "You must escape the ampersands"

    Blithering fool: "HURR DURR OKAY DURR"

    Result:

    pageObject.id +"&amp;type=5" 

     

     

    pageObject.id + "&amp;type=' OR 1=1;DELETE * FROM Company WHERE employeeId='blithering fool';--"

     

    FTFY

     



  • @Zemm said:

    PHP would leave the backslash as a literal backslash, even in double-quoted strings. Thus this is true: (('\&' === '&amp;') && ("\&" === "&amp;") && ('&amp;' === "&amp;"))

    Hmm. In Ruby, '\&' == &amp;, but "&amp;" == &. In Javascript, '\&' == "\&" == &amp; and '&amp;' == "&amp;" == &.



  • @derula said:

    @Zemm said:
    PHP would leave the backslash as a literal backslash, even in double-quoted strings. Thus this is true: (('\&' === '&amp;') && ("\&" === "&amp;") && ('&amp;' === "&amp;"))

    Hmm. In Ruby, '\&' == &amp;, but "&amp;" == &. In Javascript, '\&' == "\&" == &amp; and '&amp;' == "&amp;" == &.

    Interesting. '\&', == "'\&'" "&amp;" && =& '&amp;' \ "\&" & \ snoofledumpjins &&amp; == "&" = &? "\&" "\" == '\' = & == &!



  • When did this turn into a perl thread?



  • TRWTF is that the original code doesn't even look like Perl, seeing as they're using + for string concatenation.

    That's why I probably assumed it was Java or something. I thought it was PHP at first until I noticed that.



  • @MiffTheFox said:

    TRWTF is that the original code doesn't even look like Perl, seeing as they're using + for string concatenation.

    That's why I probably assumed it was Java or something. I thought it was PHP at first until I noticed that.

     

    I'm going to assume it's javascript.



  • @DescentJS said:

    I'm going to assume it's javascript.

    If it is, then it should be <![CDATA[ wrapped, and then the sands of Amper wouldn't need to be escaped.

    ...You are <![CDATA[ wrapping your Javascript in XHTML, aren't you..?

    Say, what does CS do with and open <![CDATA[ tag..? Let's find out: <![CDATA[ <p> Hmm, not much I guess. Interestingly, the tag shows up when I edit this post, but not when I quote it.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.