Peter Gutmann wrote: > > I was more concerned about people doing things like using %39 to escape > filtering for ' characters, a la Microsoft's continuing ".." problems. That's something I was curious about as well. I know parts of Microsoft's version of the TDS protocol are done in Unicode. If you pass the appropriate escape character in Unicode, the script that's trying to strip out dangerous stuff wouldn't catch it. The only problem I can see is how do you keep IIS from decoding the Unicode first (talking about web form access, obviously.) BB
This archive was generated by hypermail 2b30 : Sat Dec 29 2001 - 20:30:31 PST