Ian, I've isolated the issue. The root cause is in the URL decoder. It's correctly identifying the % as a start of a HEX encoded character, like %20. Only in this case, the parentheses are not valid hex values (0-9 & A-F). Internally this is returning a null. The bug occurs when the null character is replaced into the string, the length is not recalculated correctly and the null character is then available to further code, such as the variable assignment and then the calc expression mechanism in @FILTER. This null character is causing the error, since "#1 = NULL" is not something it knows how to handle.
I've updated the code and the fix will be available in the next release of TS 7. Robert -----Original Message----- From: Ian Evans [mailto:[email protected]] Sent: Monday, May 23, 2016 3:42 PM To: [email protected] Subject: Re: TeraScript-Talk: proper encoding for untrusted input in meta tag expressions Robert, I've done a little playing around, and the input is coming from a querystring parameter. It does not seem to have anything to do with the quote marks, as I initially thought. If you put the following in a results action in a taf and supply ?query=%() in the url it throws the expression eval error: <@EXCLUDE> <@ASSIGN val <@SEARCHARG query>> <@ASSIGN array <@ARRAY value="a,b;<@SQ>,2;">> <@ASSIGN filtered value="<@FILTER array=array expr='#1 = @@val'>"> </@EXCLUDE> @@filtered It does not seem to happen with %( or %), but only %() Thanks, -Ian On 05/23/16 15:24, Robert Shubert wrote: > Ian, > > I'm not able to reproduce this issue as you've stated it. Here's the test I > did: > > <@ASSIGN val <@SQ>> > <@ASSIGN array <@ARRAY value="a,b;<@SQ>,2;">> <@FILTER array=array > expr='#1 = @@val'> > > And the return of @FILTER was the correct array, without error. > > I'm on 7.1.1 Windows. Please see if my test works on your system to rule out > a difference. Then we'll need to look more closely ar your case. > > Robert > > -----Original Message----- > From: Ian Evans [mailto:[email protected]] > Sent: Monday, May 23, 2016 12:36 PM > To: [email protected] > Subject: TeraScript-Talk: proper encoding for untrusted input in meta > tag expressions > > Hi, > > I'm trying to filter an array based on user input, and assign the result: > > <@ASSIGN NAME="array_contains_input" SCOPE="request" VALUE="<@FILTER > ARRAY='request$some_array' EXPR='#1 = <@VAR > request$untrusted_input>'>"> > > If the untrusted input contains ' (single quote) or " (double quote) or both, > the application errors out with "Error during expression evaluation." I > assume it's because the quote mark in the input is being parsed as part of > the meta tag. > > Is there any way to encode the untrusted input so that if it contains single > or double quotes it will not interrupt the expression parsing, but would > still be accurately compared in the expression? > > This code is running on: > > TeraScript Server Advanced 7.0.3.0 Mac OS X (32-bit) > > Thanks, > -Ian > > > > ---------------------------------------- > > To unsubscribe from this list, please send an email to > [email protected] with "unsubscribe terascript-talk" in the body. > > > > > ---------------------------------------- > > To unsubscribe from this list, please send an email to > [email protected] with "unsubscribe terascript-talk" in the body. > > ---------------------------------------- To unsubscribe from this list, please send an email to [email protected] with "unsubscribe terascript-talk" in the body. ---------------------------------------- To unsubscribe from this list, please send an email to [email protected] with "unsubscribe terascript-talk" in the body.
