-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reza : Sure, I understand, maybe I should have specified : I was taking the web service, set up for testing, feedback and discovery as a point of departure to look ahead at a service with a public endpoint. I'm not suggesting it is a design or other issue with the current service.
Bertrand : Yes, I agree, it must be sanitized, however the parameters come in. The question is at which level does or should the sanitizing happen. A fairly common bot ua like : Mozilla/5.0 (compatible; MJ12bot/v1.3.0; http://www.majestic12.co.uk/bot.php? ) would result in : http://supersite.com/someresource.js?ua=Mozilla/5.0%20(compatible;%20MJ12bot/v1.3.0;%20http://www.majestic12.co.uk/bot.php?%20)&callback=abc555 In the example I gave (reverse proxy enforcing 'sanity' on incoming request for various web servers and services) this request would never get 'sanitized', the proxy would drop it because : - - the request contains "http://"; twice - - and (following the specifics of my example) it contains ".php" esjr -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRkRIgAAoJEOxywXcFLKYctRIH/RvSob4ogI2VAMlz02LgzAoj 3UgAI07XJNlQnizZ5v7VA1/7xrcw1G1E8VL7T291NtySoyKLcpt0Flu0oWeQRy/n nM9f/ouh6aaa0p2qlrAr6g5iGEFw8rAkXIK1o6tn+ywZu5Z8lcCfo/ZJ298cT7Wv uuCJ84S6c/B2r0YhkpWEsAnFkBoPO9R2rGTDv0D+22b0G6YSEmeTx/uYml4uUmMW zcxsMHQZPvL6BtpIssVnahtGB0v4uYqmiOo68JAhwZqCKZ0iUORAogLCfVvzlFb1 +OkWxnErLNew58cnVwrEdbZe3GCfmIB0WlOiroXPrxgw/78G+JTh4nqP35LVXOI= =dMzR -----END PGP SIGNATURE-----
