Print Page | Close Window

Problem with urls containing | or []

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=17574
Printed Date: 13 April 2026 at 9:30pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com


Topic: Problem with urls containing | or []
Posted By: mantey
Subject: Problem with urls containing | or []
Date Posted: 18 December 2005 at 9:12pm
I want to ask some question. Some URLs have special characters like | or [ or ]. When I type the URL containing this characters in the wyswyg editor it ignores them after submiting a post. So there is URL with all characters except those one, mentioned above. Of course such URLs are not valid.
 
How to solve this problem?


Replies:
Posted By: WebWiz-Bruce
Date Posted: 19 December 2005 at 6:20am
These caracters are not usauly use din URL's and are removed to prevent XSS hacking

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: mantey
Date Posted: 26 December 2005 at 11:14pm
So there is no way to get such URLs to work using wysiwyg, or is it?
 
Does anybody have any suggestion how to solve this problem?

Posted By: WebWiz-Bruce
Date Posted: 27 December 2005 at 1:29pm
You could edit the filters file in the functions directory and remove the part of the filter that filters out [ and ], but you leave a security whole that could mean your forum is hacked by an XSS hacker.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: mantey
Date Posted: 27 December 2005 at 10:27pm

Is it possible to make some mod, letting only administrator to have special rights, so only administrators (or only one administrator) would be able to use special characters in URLs?

Posted By: WebWiz-Bruce
Date Posted: 28 December 2005 at 2:05pm
You could use code to detect if it is the admin and then not apply the filters:-

If blnAdmin = false Then

    do code in here
End If


-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: JJLatWebWiz
Date Posted: 28 December 2005 at 11:31pm
I believe (but I won't bet much money on it) that the vertical line, and square bracket characters are among the "national" characters that could have different meanings depending on the user's (or the host server's) selected national character variant 7 bit set.  As such, according to W3C, those characters should not be used in a URL.  They should be escaped.  Some simple changes to the the formatLink function in functions_filters.asp would probably do the trick.
 
Maybe make the following changes:


strInputEntry = Replace(strInputEntry, "[", "[", 1, -1, 1)


strInputEntry = Replace(strInputEntry, "]", "]", 1, -1, 1)


strInputEntry = Replace(strInputEntry, "(", "(", 1, -1, 1)


strInputEntry = Replace(strInputEntry, ")", ")", 1, -1, 1)


strInputEntry = Replace(strInputEntry, "{", "{", 1, -1, 1)


strInputEntry = Replace(strInputEntry, "}", "}", 1, -1, 1)


strInputEntry = Replace(strInputEntry, "<", "&#60;", 1, -1, 1)


strInputEntry = Replace(strInputEntry, ">", "&#62;", 1, -1, 1)


strInputEntry = Replace(strInputEntry, "|", "&#124;", 1, -1, 1)

I haven't tested these suggestions in any way and I haven't analyzed their possible impact on security.  I haven't even verified the escape codes are exactly correct.  I THINK security will be uneffected and I'm pretty sure the codes are accurate.  But I don't accept any responsibility should anyone choose to test my theory.  If you have problems with it, I will gladly help via this forum.


-------------
p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users.

Posted By: JJLatWebWiz
Date Posted: 29 December 2005 at 6:44pm

Now, I'm not sure if you should use the hash ASCII HTML Encoding or the URL Encoding escape codes.  I think, probably the latter.  So you should probably use this instead:



strInputEntry = Replace(strInputEntry, "[", "%5B", 1, -1, 1)


strInputEntry = Replace(strInputEntry, "]", "%5D", 1, -1, 1)


strInputEntry = Replace(strInputEntry, "(", "%28", 1, -1, 1)


strInputEntry = Replace(strInputEntry, ")", "%29", 1, -1, 1)


strInputEntry = Replace(strInputEntry, "{", "%7B", 1, -1, 1)


strInputEntry = Replace(strInputEntry, "}", "%7D", 1, -1, 1)


strInputEntry = Replace(strInputEntry, "<", "%3C", 1, -1, 1)


strInputEntry = Replace(strInputEntry, ">", "%3E", 1, -1, 1)


strInputEntry = Replace(strInputEntry, "|", "%7C", 1, -1, 1)



-------------
p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users.

Posted By: dpyers
Date Posted: 30 December 2005 at 12:54am
That's a useful bit of info. Adding that code to my snippets.

-------------

Lead me not into temptation... I know the short cut, follow me.

Posted By: graper
Date Posted: 31 December 2005 at 12:20am
WOW

-------------
WWF论坛讨论QQ群:2652358
WWF论坛讨论: Http://Www.CNWWF.Com/Forum/ - Http://Www.CNWWF.Com/Forum/

Posted By: Gando
Date Posted: 09 January 2006 at 11:23pm

Hello,

Where i have to add this code? I added functions_filters.asp inside but doesn't work? Confused  I want to use only this | character..
 
Thanx a lot..
 
 
If blnAdmin = false Then
strInputEntry = Replace(strInputEntry, "[", "%5B", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "]", "%5D", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "(", "%28", 1, -1, 1)
strInputEntry = Replace(strInputEntry, ")", "%29", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "{", "%7B", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "}", "%7D", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "<", "%3C", 1, -1, 1)
strInputEntry = Replace(strInputEntry, ">", "%3E", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "|", "%7C", 1, -1, 1)
End If

Posted By: JJLatWebWiz
Date Posted: 11 January 2006 at 4:39am

These lines already exist in functions_filters.asp.  Look for "function formatLink".  Inside this function, you will see the lines, but with empty double-quotes.  Replace the empty double-quotes with the appropriate escape code.

If you're going to let only administrators post links with these characters, then make it so the blnAdmin links use the escaped codes and regular users still use the empty double-quotes.  Those characters should technically be escaped in a URL anyway.


-------------
p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users.


Print Page | Close Window

Forum Software by Web Wiz Forums® version 12.08 - https://www.webwizforums.com
Copyright ©2001-2026 Web Wiz Ltd. - https://www.webwiz.net