[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Soap Question



Sanitation of web input should be happening in the browser and most importantly in the CGI/PHP/Java/etcetra server backend.

I hope by the time you get the data to send back an order confirmation, that the data has appropriately been cleaned. But I know that sometimes we need to be extra careful too. If you want to sanitize the data values for things that might mess up the xml message, I would write a general purpose routine in part using:

*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 * http_EscapeXml(): Escape any special characters used by XML   
 *                                                               
 *     peString = (input) string to escape                       
 *                                                               
 * Returns escaped string.                                       
 *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
D http_EscapeXml  PR          4096a   varying                    
D  peString                   4096a   varying const       

Here is an example program to try it out.
     H DFTACTGRP(*NO) BNDDIR('HTTPAPI')                  
       
      /copy qrpglesrc,httpapi_h                          
       
     D xmldata         S             52a                 
                                                                                     
       xmldata = 'some data value & and some other data';
       dsply xmldata;                                    
       xmldata = http_EscapeXml(xmldata);                
       dsply xmldata;                                    
                                                         
       xmldata = '"''&<>';                               
       dsply xmldata;                                    
       xmldata = http_EscapeXml(xmldata);                
       dsply xmldata;                                    
                                                         
       *inlr = *on;                                      


-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Jim Muehe
Sent: Friday, April 10, 2015 11:24 AM
To: HTTPAPI and FTPAPI Projects
Subject: RE: Soap Question

Just worried about garbage.
Doing SOAP to generate Order Confirmation emails -- who knows what kind of garbage gets put into the web.

Jim Muehe



-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Mike Krebs
Sent: Friday, April 10, 2015 10:03 AM
To: HTTPAPI and FTPAPI Projects
Subject: RE: Soap Question

I do not think any of the EXAMPLE programs show special encoding. It is not needed in most cases.

Just create your SOAP message and send it. See what happens!

What kind of encoding do you think you need? The archives contain discussions about various types of problems others have encountered. Since I am unsure of what type of encoding you think you will need, I am unsure where to point you to.

-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Jim Muehe
Sent: Friday, April 10, 2015 9:50 AM
To: HTTPAPI and FTPAPI Projects
Subject: RE: Soap Question

Mike,

Are there any tools in the HTTPAPI that would work for encoding SOAP's Example on how to use it?


Jim Muehe


-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Mike Krebs
Sent: Thursday, April 09, 2015 4:56 PM
To: HTTPAPI and FTPAPI Projects
Subject: RE: Soap Question

This represents an evolution of the tool. Like the examples, most SOAP messages sent using http_url_post_xml can be sent without further encoding, escaping, or translation.

Web data (that intended to be displayed) needs a way to tell a < from a &lt. Unless you expect your xml values to have xml tags in it, you should not have a problem with this. If you are transferring or receiving xml tags as data values (not as tags), you might have to code for them but that should be apparent as you know what your data is.


-----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Jim Muehe
Sent: Thursday, April 9, 2015 4:07 PM
To: ftpapi@xxxxxxxxxxxxxxxxxxxxxx
Subject: Soap Question

Hello,

I have used http_url_post_xml but in conjunction with the WEBFORM & http_url_encoder_addvar Now I need to do a SOAP. In the samples I did not see that it was encoded Does it need to be? Easiest way to do it?

This might be a stupid question, but I am pretty ignorant on this stuff.


Jim Muehe | Sr. Programmer Analyst | CHEFS(r) | An Affiliate of *Target Corporation(r) | 5070 Centennial Blvd. | Colorado Springs, CO 80919
719.272.2618 (P) | 719.272.2624 (F) | www.CHEFScatalog.com<http://www.chefscatalog.com/> | www.Target.com<http://www.target.com/>


________________________________
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply e-mail and destroy all copies of the original message.
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

________________________________
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply e-mail and destroy all copies of the original message.
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

________________________________
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply e-mail and destroy all copies of the original message.
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------