I have an orchestration that sends out emails and I'm trying to write out the email subject to include nodes from the XML. I want to write the following in the subject:
EDI 860 - PO Change Notification:(Buyer Name),(Buyer City),(Buyer State)
This is how I wrote it in the expression:
emailSubject = "EDI 860 - PO Change Notification:"+"/*[local-name()='Name' and namespace-uri()='']/*[local-name()='buyer_name' and namespace-uri()='']"+"/*[local-name()='Name' and namespace-uri()='']/*[local-name()='city' and namespace-uri()='']"+"/*[local-name()='Name' and namespace-uri()='']/*[local-name()='state' and namespace-uri()='']";
Is this correct? I'm pretty new to orchestrations and writing expressions. I didn't get any errors while writing and it seems like valid language, but I don't have a test environment to try it out on. I'm worried that the email will currently come out like this:
EDI 860 - PO Change Notification:(Buyer Name)+(Buyer City)+(Buyer State)
For starters. Get a test environment or at the very least test it in your dev environment. You should not release anything that has not been tested.
No, it would not work like that, see Using XPaths in Message Assignment
It would have to look like the below where you also tell it that it is an xpath and have the name of the message (msg)
myString = xpath(msg, "string(/*/book[1]/title)");
Even if it had worked it would look like the second one example, as you aren't adding the commas in the string concatenation.
Also rather than trying to use XPaths, you might want to look at using distinguished fields in your schema. This will make it a lot easier to refer to elements in your payload and make it easier for developers to read (it still uses XPaths under the hood).
To use the distinguished field you just refer to the message name & field name
e.g.
emailSubject = "EDI 860 - PO Change Notification:"+ msg.Name.buyer_name + "," + msg.Name.city + "," + msg.Name.state;
Related
I wrote a small service in go (although I don't think this would be a language specific issue), that caches some results by saving it to a file, and writing a URL query parameter into the filename with "prefix" + param + ".json" using ioutil.WriteFile. The service runs on Ubuntu.
Is it possible to do something malicious, by passing an unexpected string via the query?
Relevant attacks that come to mind are called path injection. For example what if the query parameter is something like ../../etc/passwd (okthis would probably not work as the user running this service would have no permissions, but you get the point). For example it could be possible to overwrite your service code itself.
You should sanitize the parameter before adding it to the filename. The best would be a strict whitelist of letters and numbers that are allowed, anything else should ve removed from the parameter. That way injection would not be possible.
You can also check whether the path you are writing to is actually under an explicitly allowed directory.
I will make a test in python, here is the struct of the project
app1/main.py
while True:
a = input() # passing query
with open("{}.json".format(a), "w") as f:
f.write("Hello world")
now i am a hacker, and i want to change "yourfile.json"
so i passed this
and than, the content of yourfile.json become: Hello world
I need to create a BizTalk solution wherein I'll need to call an SMS gateway URL from BizTalk server. Is there a way to do this?
The URL looks like below. I only need to pass the phone_number and the text_msg parameter in doing this.
http://111.111.1.111/sendsms.cgi?mobile_number=+6512345678&text_msg=test
If it is a REST API then you can use the WCF-WebHttp Adapter and pass the Phone Numbers and TExt message as variables in the URL itself.
These properties (Phone No and Text message) would need to be promoted and then will be passed dynamically.
This has been resolved by adding an Expression shape in my orchestration and in that expression I have placed this line of code.
sendPort_SendSms(Microsoft.XLANGs.BaseTypes.Address) = "http://111.111.1.111/api/sendsms.cgi?" + "mobile_number=" + varMobileNumber + "&" + "text_msg=" + varMessageBody;
I have declared my 2 parameters: mobile_number(varMobileNumber) and text_msg(varMessageBody) as variables so I can just pass whichever value in it.
This worked like a charm.
I'm doing some client-side stuff with Javascript/JQuery with .Net controls which expose their GUID/UniqueIdentifier IDs on the front end to allow them to be manipulated. During debugging something is driving me crazy: The GUIDs in the db are stored in uppercase, however by the time they make it to the front end they're in lowercase.
This means I can't quickly copy and paste IDs into the browser's console to execute JS on the fly when devving/debugging. I have found a just-about-workable way of doing this but I was wondering if anyone knew why this behaviour is the case and whether there is any way of forcing GUIDs to stay uppercase.
According to MSDN docs the Guid.ToString() method will produce lowercase string.
As to why it does that - apparently RFC 4122 states it should be this way.
The hexadecimal values "a" through "f" are output as lower case characters and are case insensitive on input.
Also check this question on SO - net-guid-uppercase-string-format.
So the best thing you can do is to call ToUpper() on your GUID strings, and add extension method as showed in the other answer.
If you're using an Eval template, then I'd see if you can do this via an Extension method.
something like
public static string ToUpperString(this Guid guid, string format = "")
{
string output = guid.ToString(format);
return output.ToUpper();
}
And then in your Eval block,
myGuid.ToUpperString("B")
Or however you need it to look.
I'm on my Mac at the moment so I can't test that, but it should work if you've got the right .Net version.
We have taken over a .NET project recently and upon looking at the db we have the following in some columns:
1) Some columns have values such as
" & etc etc
2) Some have <script> tags and other non html encoded tags
This data is displayed all over the site. When trying out HtmlEncoding on point number 1 we get the following " -> "
Obviously we are wanting to htmlencode when displaying as point 2 contains javascript which we don't want executed.
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
No there isn't.
What i would suggest is that you write a quick script that goes through the database and unencode the already encoded data. Then use something like the Microsoft AntiXSS library (tutorial here) to encode all output before it gets output to the web page. Remember that it is fine to store the data unencoded1, the danger is when you echo it back out to the end user.
Some controls already encode output using encode functionality built into the .Net framework - which is not bulletproof to XSS - you just have to either avoid using those controls or just not encode the data displayed by them. There is a FAQ question pertaining to the MS controls that encode at the bottom of the page for the first link which you should read. Also some third party control vendors encode the output of their controls, you would do yourself a favor if you test them to make sure they are not still susceptible to XSS.
1Don't forget to take steps to prevent SQL injection though!
Before applying HtmlEncode( "myText" ) use HtmlDecode method to the input text.
That way you will decode your string from:
& quot; & amp; etc etc < script>
to
" & etc etc < script>
and afterwards apply encode "from scratch".
To show this fundamental issue in .NET and the reason for this question, I have written a simple test web service with one method (EditString), and a consumer console app that calls it.
They are both standard web service/console applications created via File/New Project, etc., so I won't list the whole code - just the methods in question:
Web method:
[WebMethod]
public string EditString(string s, bool useSpecial)
{
return s + (useSpecial ? ((char)19).ToString() : "");
}
[You can see it simply returns the string s if useSpecial is false. If useSpecial is true, it returns s + char 19.]
Console app:
TestService.Service1 service = new SCTestConsumer.TestService.Service1();
string response1 = service.EditString("hello", false);
Console.WriteLine(response1);
string response2 = service.EditString("hello", true); // fails!
Console.WriteLine(response2);
[The second response fails, because the method returns hello + a special character (ascii code 19 for argument's sake).]
The error is:
There is an error in XML document (1, 287)
Inner exception: "'', hexadecimal value 0x13, is an invalid character. Line 1, position 287."
A few points worth mentioning:
The web method itself WORKS FINE when browsing directly to the ASMX file (e.g. http://localhost:2065/service1.asmx), and running the method through this (with the same parameters as in the console application) - i.e. displays XML with the string hello + char 19.
Checking the serialized XML in other ways shows the special character is being encoded properly (the SERVER SIDE seems to be ok which is GOOD)
So it seems the CLIENT SIDE has the issue - i.e. the .NET generated proxy class code doesn't handle special characters
This is part of a bigger project where objects are passed in and out of the web methods - that contain string attributes - these are what need to work properly. i.e. we're de/serializing classes.
Any suggestions for a workaround and how to implement it?
Or have I completely missed something really obvious!!?
PS. I've not had much luck with getting it to use CDATA tags (does .NET support these out of the box?).
You will need to use byte[] instead of strings.
I am thinking of some options that may help you. You can take the route using html entities instead of char(19). or as you said you may want to use CDATA.
To come up with a clean solution, you may not want to put the whole thing in CDATA. I am not sure why you think it may not be supported in .NET. Are you saying this in the context of serialization?