"Special characters not allowed" - and we eat only raw meat
-
When I get to see user prompts like that it really makes me feel someone's stuck on the stone age of web development. I'm not sure, I could be wrong. Do we still limit user from entering special characters? If yes, for what reason someone should be blocking these innocent characters? - * +, - & _ etc. I was painstakingly writing a product review in detail. At the end when I clicked on Submit button, it says "Please avoid using special characters". As if it's just a ignorable warning. It jus didn't let me submit till I removed the last quote symbol. How weird this is. I thought it's just about removing angle brackets (HTML Tags). But I had to remove even quotation marks,:, ; ,-, + , &,/,\ everything. Is there a sane reason behind this restriction? (I remember me restricting people entering "<>" tags in input box when I tried my very first classic Asp page :) )
Starting to think people post kid pics in their profiles because that was the last time they were cute - Jeremy Falcon.
-
Well, filenames can't have certain characters, so in some cases, telling the user that is okay, in my eyes.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013If you are naming a file, then it's understandable to check for those characters. But not in a username or password or plain text input field to be inserted into a file or database.
If you think 'goto' is evil, try writing an Assembly program without JMP.
-
IMHO, there shouldn't be any restrictions on length or composition of a password if they are using proper security. It looks like they are either storing passwords as clear-text, which is incredibly bad, or they are encrypting the passwords in the database, which is also bad. If they used salted hashes, like they should, none of it would matter.
if (Object.DividedByZero == true) { Universe.Implode(); } Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
Wait, what, he was writing a product review, nothing to do with passwords.
Never underestimate the power of human stupidity RAH
-
When I get to see user prompts like that it really makes me feel someone's stuck on the stone age of web development. I'm not sure, I could be wrong. Do we still limit user from entering special characters? If yes, for what reason someone should be blocking these innocent characters? - * +, - & _ etc. I was painstakingly writing a product review in detail. At the end when I clicked on Submit button, it says "Please avoid using special characters". As if it's just a ignorable warning. It jus didn't let me submit till I removed the last quote symbol. How weird this is. I thought it's just about removing angle brackets (HTML Tags). But I had to remove even quotation marks,:, ; ,-, + , &,/,\ everything. Is there a sane reason behind this restriction? (I remember me restricting people entering "<>" tags in input box when I tried my very first classic Asp page :) )
Starting to think people post kid pics in their profiles because that was the last time they were cute - Jeremy Falcon.
Maybe the developer had special needs... Anyway, what's so special about "special" characters? It's a phrase that's always got my back up. Is it just meant to be non-alphanumeric characters? These "special" characters are not so special when it comes to punctuation, etc!
-
When I get to see user prompts like that it really makes me feel someone's stuck on the stone age of web development. I'm not sure, I could be wrong. Do we still limit user from entering special characters? If yes, for what reason someone should be blocking these innocent characters? - * +, - & _ etc. I was painstakingly writing a product review in detail. At the end when I clicked on Submit button, it says "Please avoid using special characters". As if it's just a ignorable warning. It jus didn't let me submit till I removed the last quote symbol. How weird this is. I thought it's just about removing angle brackets (HTML Tags). But I had to remove even quotation marks,:, ; ,-, + , &,/,\ everything. Is there a sane reason behind this restriction? (I remember me restricting people entering "<>" tags in input box when I tried my very first classic Asp page :) )
Starting to think people post kid pics in their profiles because that was the last time they were cute - Jeremy Falcon.
Hey, it could be worse. I recently inherited a code base that won't even compile in release mode, only debug mode. And OFC it's using C's char type all over the place. Hey, the codebase is from 2016 mind you, so both Unicode and Unicode path names are a thing. And we're a German R&D office so umlauts are a thing as well. Ah, and the running code expects several support files RELATIVE TO THE WORKING DIRECTORY! In the meantime, I was able to toss that monstrosity. Do you want to guess what my successor did? He wrote a batch file to change to the proper folder and then launch the binary. Instead of fixing the source code to ignore the working directory. Ah, and this batch file bloody hell relies on an environmental variable to tell it where it lies itself. A part of this, I know for a fact, is to blame on both my predecessor's and my successor's deep hate for Windows and love for Linux (so they litereally couldn't give less of a damn how to makes things properly work on Windows), another part is simply "I don't want to learn anything new since I learned coding back in the 60s". And, I kid you not, this is but a slightly redacted quotation of the answer I received when trying to teach one of those guys ARC to pass a linked list between a part they're mainaining and the part that I was maintaining. And here we're back to where you started: Some people are just stuck in the 60s, or generally in the past. Learned coding back then, when 7-bit ASCII was the only way to go and simply couldn't care less about keeping up with the times. Even if keeping up with the tiems is but a matter of using ready constructs (like Unicode strings or c++'s list).
-
YouMeanYouWouldNotLetHimEvenUseSpacesQuestionMark
Software Zen:
delete this; -
YouMeanYouWouldNotLetHimEvenUseSpacesQuestionMark
Software Zen:
delete this; -
When I get to see user prompts like that it really makes me feel someone's stuck on the stone age of web development. I'm not sure, I could be wrong. Do we still limit user from entering special characters? If yes, for what reason someone should be blocking these innocent characters? - * +, - & _ etc. I was painstakingly writing a product review in detail. At the end when I clicked on Submit button, it says "Please avoid using special characters". As if it's just a ignorable warning. It jus didn't let me submit till I removed the last quote symbol. How weird this is. I thought it's just about removing angle brackets (HTML Tags). But I had to remove even quotation marks,:, ; ,-, + , &,/,\ everything. Is there a sane reason behind this restriction? (I remember me restricting people entering "<>" tags in input box when I tried my very first classic Asp page :) )
Starting to think people post kid pics in their profiles because that was the last time they were cute - Jeremy Falcon.
I have my own thoughts on this... Hold on a sec, I have a cold.... {cough, cough}Lazy Bastards{cough, cough} now where was I.... oh yes, well there we go :-)
-
Well, filenames can't have certain characters, so in some cases, telling the user that is okay, in my eyes.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013I used to have an Amiga 1000 which allowed filenames to have special characters and even non-printable characters. It worked great. That computer was way ahead of its competitors.
-
YOUARERIGHTIMISSEDTHATISTHISBETTERYOUMEANYOUWOULDNOTLETHIMEVENUSESPACESQUESTIONMARK
Software Zen:
delete this; -
When I get to see user prompts like that it really makes me feel someone's stuck on the stone age of web development. I'm not sure, I could be wrong. Do we still limit user from entering special characters? If yes, for what reason someone should be blocking these innocent characters? - * +, - & _ etc. I was painstakingly writing a product review in detail. At the end when I clicked on Submit button, it says "Please avoid using special characters". As if it's just a ignorable warning. It jus didn't let me submit till I removed the last quote symbol. How weird this is. I thought it's just about removing angle brackets (HTML Tags). But I had to remove even quotation marks,:, ; ,-, + , &,/,\ everything. Is there a sane reason behind this restriction? (I remember me restricting people entering "<>" tags in input box when I tried my very first classic Asp page :) )
Starting to think people post kid pics in their profiles because that was the last time they were cute - Jeremy Falcon.
It's easier to parse later with AI. (Take the lowest common denominator font; "alpha-numerics" only.) I think even Google at one time would stumble with "capitalized" versus "not".
"(I) am amazed to see myself here rather than there ... now rather than then". ― Blaise Pascal
-
When I get to see user prompts like that it really makes me feel someone's stuck on the stone age of web development. I'm not sure, I could be wrong. Do we still limit user from entering special characters? If yes, for what reason someone should be blocking these innocent characters? - * +, - & _ etc. I was painstakingly writing a product review in detail. At the end when I clicked on Submit button, it says "Please avoid using special characters". As if it's just a ignorable warning. It jus didn't let me submit till I removed the last quote symbol. How weird this is. I thought it's just about removing angle brackets (HTML Tags). But I had to remove even quotation marks,:, ; ,-, + , &,/,\ everything. Is there a sane reason behind this restriction? (I remember me restricting people entering "<>" tags in input box when I tried my very first classic Asp page :) )
Starting to think people post kid pics in their profiles because that was the last time they were cute - Jeremy Falcon.
1. Read this: https://www.owasp.org/index.php/XSS\_(Cross\_Site\_Scripting)\_Prevention\_Cheat\_Sheet 2. Ponder your own code that reflects user input data (like comments) back to a web page. 3. Realize that disallowing ALL special characters makes the data in the DB very future proof. Points to consider: 1. Assume any input is trying to hack you 2. Don't trust that the data in your DB is really safe if a user entered it originally. e.g., Today you emit from DB -> HTML and everything is safe. Tomorrow you emit from DB -> JSON and a lurking time bomb blows up in your face as all of your customers start mining bitcoin for someone (not you). P.S. Consider becoming a vegetarian
-
If you are naming a file, then it's understandable to check for those characters. But not in a username or password or plain text input field to be inserted into a file or database.
If you think 'goto' is evil, try writing an Assembly program without JMP.
Password raise a scary thought. If they're rejecting special characters in a password it implies they're writing it straight into the database as plain text without hashing it.
-
Password raise a scary thought. If they're rejecting special characters in a password it implies they're writing it straight into the database as plain text without hashing it.
A very good observation. There is another argument (I am not saying that it is valid, though: I prefer to use passphrases, not passwords. Phrases have space in them. If you prefer to primarily work in a command line environment (read: You're a Linux guy), you want the password to be an argument on the call line, like -p passwd. Standard command line parsers want the argument value to be a single word, or you would have to quote it, and that is too cumbersome. You can go on from there: If the real -p argument starts with (/contains) a quoting charcter (there are several), a hyphen, a backslash, ... then it must be quoted in some suitable way, even if it consists of a single word. The method of quoting may depend on which special character(s) that makes quoting necessary. In a GUI, you don't have to be concerned about printable characters - they are all valid. Of course the encoding must be defined - trying to use an 8859-1 encoding of the key to decrypt a document which was encrypted with an UTF-8 encoding of the same key won't work. As long as you state that 7 bit ASCII "should be enough for everybody" (again: You are a Linux guy) different encodings is not an issue: ASCII is a subset of all 8859-variants and of UTF-8. So if you rule out non-ASCII characters to avoid encoding issues, and all those characters that is affected by command line parsing conventions, there isn't that much left beyond a-zA-Z0-9.
-
I used to have an Amiga 1000 which allowed filenames to have special characters and even non-printable characters. It worked great. That computer was way ahead of its competitors.
I was a student in the minicomputer era, and when we managed to get hold of the Administrator password, we created users with ESC in the password. On this OS, ESC was used to escape(!) out of the current operation, such as specifying the keyword. The login procedure was restarted. I, and a few other students could still login, by escaping the ESC. You wouldn't discover it by watching us log in: When reading the password, nothing was echaoed. When *nix arrived, we excelled in making file names such as ../myfile, or \r\n/myfile (backslashes were not escapes), or with a backspace character in the name. Maybe some of these file names are illegal in modern *nixes - given that the primary user interface is a command line, a few restrictions can make sense.
-
YouMeanYouWouldNotLetHimEvenUseSpacesQuestionMark
Software Zen:
delete this;Few programmers are aware that space has no significance in Fortran: GOTO and GO TO are equivalent (or G OTO, if you prefer). Nor are there any reserved words: You can declare an INT EGER REAL variable or a REAL COMPLEX, so that REAL is integer and COMPLEX is real. Disclaimer: I never worked with Fortran after Fortan-77. Newer Fortran standard may have changed these syntax rules.
-
When I get to see user prompts like that it really makes me feel someone's stuck on the stone age of web development. I'm not sure, I could be wrong. Do we still limit user from entering special characters? If yes, for what reason someone should be blocking these innocent characters? - * +, - & _ etc. I was painstakingly writing a product review in detail. At the end when I clicked on Submit button, it says "Please avoid using special characters". As if it's just a ignorable warning. It jus didn't let me submit till I removed the last quote symbol. How weird this is. I thought it's just about removing angle brackets (HTML Tags). But I had to remove even quotation marks,:, ; ,-, + , &,/,\ everything. Is there a sane reason behind this restriction? (I remember me restricting people entering "<>" tags in input box when I tried my very first classic Asp page :) )
Starting to think people post kid pics in their profiles because that was the last time they were cute - Jeremy Falcon.
As a main rule, I write software to handle any name etc. in two forms: One "internal", technical, which may be restricted in use of encoding, special characters including space, lenght etc. This is the true identifier for an object, or whatever. The other is an arbitrary length "User friendly" name which may contain arbitrary characters, and it may even be replaced with another name depending on the UI language; it is used in all user dialogs. The "disadvantage" is that the application code very much leaves this name to be controlled by the user. So e.g. uniqueness cannot be guaranteed. Sure, the code could have refused to accept a duplicate name, but that would restrict the UI naming. (UI names can originate from different sources, so who has "the highest right" to use a given name?) In an interactive UI both matches can be presented, with additional metadata for the user to select. For non-interactive applications, I always make a fallback to the internal name (which is not at all "secret"), so that batch files / scripts may uniquely identify an object no matter what the user friendly names are. (But for that reason, some resemblance with the user friendly name turns out to be "user friendly" :-)) This is very much in the style of database identification of tuples: Selection may be based on one or more user specified values, or on some tuple ID defined as a primary key if no (combination of) user attributes are suitable. I have followed this naming philosophy, with a restricted syntax "internal" name and a free syntax "external" name for a handful systems, and I am so satisfied with it that I will continue to do it that way in future projects whenever it fits in among other requirements.
-
Wait, what, he was writing a product review, nothing to do with passwords.
Never underestimate the power of human stupidity RAH
For short terms with very specific semantics I tend to be more tolerant to syntactic restrictions (although I will do what I can to reduce them). For example passwords, you may have to specify them through a variety of input mechanisms (GUI, command line interface, smartphone app, ...), with no guarantee that the device provides all the characters. If you are abroad to give a demonstration of your new web site, requiring logon, and the password you use is "Vømmøl", how do you specify it on that US keyboard? (In case you wonder: Vømmøl is a dialect variant of vadmel, which is Norwegian for a homespun wool quality used for working clothes. Knowing that won't help your login, though!) For a plain text, like this product review, I have much stronger objections. Such a text should be left untouched by digital hands. You should be allowed to use any printable character, and essentially non-printable as well. It should be treated as a binary blob except by those functons that actually relate to the text contents. But we computer guys think it is just so convenient having access to the <, / and > as text. We crave for these special characters, these escapes. "For convenience" we do not want text contents to be any arbitrary sequence of characters. We are beginning to learn, the hard way, about the dangers of SQL injection (everybody knows https://xkcd.com/327/ today), but we are still accepting HTML code injection. A few years ago, numerous web sites would mess up the screen completely if you happened not to add the appropriate closing tags. There is less of that nowadays, but still text may disappear in mysterious ways because the author was unaware of the special semantic meaning of <. Or of the ampersand. Or the backslash. Or ... HTML, or other text-based markup, is not fit for human consumption. Visible characters are text, not markup. If there is a need to add markup, it should be done outside the text, and the code-behind may use whatever internal encoding it wishes, as long as it does not interfere with the text contents. Ordinary users think it perfectly OK to click an "italics" or "chapter level 2" button; those insisting on textual taggig are essentially the computer guys! CP gives us a helping hand through the Preview pane. That is really an emergency workaround - other net fora offer editors where the writer works directly in the "tags interpreted" format. Yes, that requires more work; the input editor cannot be limited to 7-bit ASCII (or its relatives). But if you d
-
1. Read this: https://www.owasp.org/index.php/XSS\_(Cross\_Site\_Scripting)\_Prevention\_Cheat\_Sheet 2. Ponder your own code that reflects user input data (like comments) back to a web page. 3. Realize that disallowing ALL special characters makes the data in the DB very future proof. Points to consider: 1. Assume any input is trying to hack you 2. Don't trust that the data in your DB is really safe if a user entered it originally. e.g., Today you emit from DB -> HTML and everything is safe. Tomorrow you emit from DB -> JSON and a lurking time bomb blows up in your face as all of your customers start mining bitcoin for someone (not you). P.S. Consider becoming a vegetarian
I'm not a web developer. And I'm confused. My understanding is that the complexity of protecting against possible attacks comes from HTMLs use of special characters for special purposes that may lead the interpreter of the web page (usually the browsers HTML engine) to perform actions that were not intended. (I suppose it's similar for Java, Javascript, or other languages that are ultimately interpreted by some web page interpreter or web runtime engine) What I don't get is why this could be possible for input fields that are only meant for plain text input: aren't these recognizable to the interpreter as containers with content that shouldn't be interpreted at all? If so, why would the contents - user-provided or not - be subjected to any restriction at all? Why should the browser even try to interpret the input field contents? If not, why not? Why is there no way to define input field contents as off-limits to the interpreter?
GOTOs are a bit like wire coat hangers: they tend to breed in the darkness, such that where there once were few, eventually there are many, and the program's architecture collapses beneath them. (Fran Poretto)
