xhtml special characters between different browsers - c++

i am working on a cgi program , i am receiving an email address like this : someone#site.com and storing it in a file.
but some thing strange happens. when i use IE the '#' char , won't change and it is same in the file , but when i use chrome , '#' char ,changes to %40 and the only way to retrieve the '#' is to find %40 and replace it with '#'.am i coding wrong or chrome has problem?
to understand better :
IE: someone#site.com
Chrome:someone%40site.com
and when i send information back to the browser , %40 doesn't change to #

It's IE that's doing it wrong in actual fact - You need to change the %xx code back to a character. In the case of %40 this would be ASCII no. 0x40 == 64 == '#'. You can't rely on it being ASCII, however, as unicode characters (such as accented letters) will also be similarly encoded.
Most languages like PHP and Python have a helper function to encode and decode these (PHP's is called url_encode() and url_decode()) - I've not used CGI on C++ for a long while, so not sure if there's a helper readily available or if you'll have to code your own - either way you should be prepared to decode url-encoded strings as all browsers will do this for some characters if not all (eg. %20 instead of a space is very common).
Hope this helps!

the answer above is correct , just in make the topic richer i think this peace of code can be the function you use :
int main()
{
int number;
string dataString="hi %40 c++ programmer %40 !";
string transform;
istringstream input;
string::size_type location = dataString.find("%");
while (location <string::npos)
{
transform = dataString.substr(location+1, 2);
input.str(transform);
input >> hex >> number;
dataString.replace(location,3,1,static_cast<char>(number));
location = dataString.find("%", location+1);
}
cout << dataString << endl;
}

Related

Json http respone, if else statement

I CANNOT ALTER THE JSON RESPONSE, SHOWN BELOW.
I want to be able to detect when the POST message was successfully entered into the database. When the data is successfully entered the response is:
{"status":"success","message":"successfully inserted"}
I want to then use an if-else statement in Arduino to detect when this is received from the server. So my code will look something like this:
while(client.available())
{
String line = client.readStringUntil('\n');
Serial.print(line);
Serial.print("\n");
if(line == "{"status":"success","message":"successfully inserted"}")
{
update_var++;
Serial.print("SUCCESSFUL");
break;
}
else
{
Serial.print("UNSUCCESSFUL");
}
}
However, a problem immediately arises in the if statement. This is due to the quotation marks also appearing in the string. How do I use an if-else statement when receiving JSON response?
This just requires escaping if you're testing literally:
if (line == "{\"status\":\"success\",\"message\":\"successfully inserted\"}")
Keep in mind this could just as easily have the keys swapped, there's no guarantee they'll be in that order. This is why using a proper JSON parser is imperative.
I recommend using a JSON library for parsing JSON but if that's not an option, I recommend comparing your String with a raw string literal (option 6 in the link) to avoid escaping of any character:
if(line == R"aw({"status":"success","message":"successfully inserted"})aw") {
// ...
}

C++. I want to save a specific line of characters, that change, in a string

I run a command in CMD through my C++ app which saves the output from that command. In that output, there is a port number and a remote API token, that changes upon each restart of the application im targeting.
This is the output I'm getting through my CMD command, which I store in a string:
"C:/Riot Games/League of Legends/LeagueClientUx.exe" "--riotclient-auth-token=5NFOIOqKB9EfSVsxBMrFUw" "--riotclient-app-port=63498" "--no-rads" "--disable-self-update" "--region=EUW" "--locale=en_GB" "--remoting-auth-token=***vx5yZOk_TkAt9YKq-PEucw***" "--respawn-command=LeagueClient.exe" "--respawn-display-name=League of Legends" "--app-port=63530" "--install-directory=C:\Riot Games\League of Legends" "--app-name=LeagueClient" "--ux-name=LeagueClientUx" "--ux-helper-name=LeagueClientUxHelper" "--log-dir=LeagueClient Logs" "--crash-reporting=crashpad" "--crash-environment=EUW1" "--crash-pipe=\\.\pipe\crashpad_19692_AJMBMQYOZVYYJMRF" "--app-log-file-path=C:/Riot Games/League of Legends/Logs/LeagueClient Logs/2020-07-09T12-55-09_19692_LeagueClient.log" "--app-pid=19692" "--output-base-dir=C:\Riot Games\League of Legends" "--no-proxy-server"
I've tried some stuff with the regex library, and managed to split my results up into words, but I still can't figure out how I save a specific line, that is the port number and the result of remoting-auth-token="characters I want to save".
My code to find out how many words are in the output string:
std::string output = exec("wmic PROCESS WHERE name='LeagueClientUx.exe' GET commandline");
std::regex wregex("(\\w+)");
auto words_begin = std::sregex_iterator(output.begin(), output.end(), wregex);
auto words_end = std::sregex_iterator();
std::cout << "Found: " << std::distance(words_begin, words_end) << std::endl;
PrintMatch(words_begin, words_end);
Output:
´´
Found: 110 CommandLine, C, Riot, Games, League, of, Legends, LeagueClientUx, exe, riotclient, auth, token, 5NFOIOqKB9EfSVsxBMrFUw, riotclient, app, port, 63498, no, rads, disable, self, update, region, EUW, locale, en_GB, remoting, auth, token, vx5yZOk_TkAt9YKq, PEucw, respawn, command, LeagueClient, exe, respawn, display, name, League, of, Legends, app, port, 63530, ´´ And a bit more but character restriction limits me, however the output which I need to store is there. I've set commas to mark new lines in the output.
‘’
It depends on what you mean by "save". Save to file or just assign to a variable? My guess is that you are confused about how iterators work and are wondering how you can fetch the remote-auth-token and the port number to from the words_begin variable. If the number of "words" in the cmd output is always the same you can use:
std::advance(words_begin,16);
std::string port = words_begin->str();
std::advance(words_begin,13);
std::string authToken = words_begin->str();
now, normally you would write the regex so as to only match the part you are interested in. Currently, since you are matching every "word", you are dependent on what position the remote auth token and port number are in the cmd output which might cause your application to break if that output ever changes order or add another word in front.

xss exploit on hardcoded message string

New to pentesting. I ran a vulnerability analysis that points the application that I am testing has quite a few xss vulnerability.
Now how to proceed from here?
Report Screenshot
Source Code :
if(Name !=null)
{
if(Name.equals(server))
{
String appName = request.getParameter("appName");
if(appName !=null && appName.equals(CommonUtil.getProductName()))
{
message = addProductDetails(request, productName, message);
}
}
else if(Name.equalsIgnoreCase(test))
{
ADSMPersUtil.updateSyMParameter("IS_INTEGRATED", "true");
message = "Successfully Integrated";//No I18N
}
else{message = addProductDetails(request, productName, message);}
}
PrintWriter out = response.getWriter();
response.setContentType("text/html");//No I18N
out.println(message);
out.close();
}
catch(Exception e){e.printStackTrace();}
}
If message is not HTML, then it needs to be HTML encoded before being inserted into a HTML stream. Characters like <, >, ", ', & need to be converted to their corresponding HTML entities.
With JSP, then the <c:out> tag does this encoding, and other templating languages have similar ways of doing this.
When writing to the OutputStream directly from Java, then you can use Java methods to do the escaping. See: Recommended method for escaping HTML in Java
If message is already HTML, then the code that generates the HTML similarly needs to escape any data values inserted within it.
With constant strings that don't contain any of these special characters, then you can treat it as a HTML string, or a plain-text string. It's more robust to escape these Strings anyway when outputting them, which prevents any XSS issues from being introduced if the strings change in the future, especially if they're being created in other methods.

How to write ACE_Tstring to file in c++

I'm using windows OS and trying to write ACE_Tstring that contains multiple languages sentence(by Unicode) to a file using ACE_OS::write().
But the result I'm getting in the file is unpredictable characters(gibberish text).
This is my code implemented :
ACE_Tstring *str = new ACE_Tstring(L"مرحبا привет świecie Hello")
ACE_HANDL hFile = ACE_OS::open(L"myfile", _O_WRONLY);
ACE_OS::write(hFile, str, 1048);
wprintf(L"%ls",str->c_str());
As you can see I also print the string to the screen, and on screen I get the characters "????" where any character accept for English characters appear.
Written Text
مرحبا привет świecie Hello
Result on Screen :
?????? ????? ??????? Hello
What am I missing and what is wrong with my code?
ACE_TString is a typedef for ACE_CString when ACE_USES_WCHAR is not set. Try using ACE_WString if you need to force it to wide-chars.

PoDoFo polish characters & PdfContentsTokenizer error

1.
How to get polish characters from pdf file? Can I somehow tell
PdfVariant::getString()
it will process polish characters?
Becouse I get \200instead of ł for example and the funny thing is thats only when ł occures as first "nonbase" character. So if the pdf file begins with aaaałęąaaaa, the ł is coded like \200, the ę like \201 and ą like \202 but if pdf file begins with aaaaąęłaaaa, the ł is coded like \202, the ę like \201 and ą like \200
How can i get this characters in any system?
2.
When i'm trying to extract text from pdf file, I do something like this:
string input_name = "example.pdf";
PdfMemDocument pdf(input_name.c_str());
for (int pn = 0; pn < pdf.GetPageCount(); ++pn) {
PdfPage* page = pdf.GetPage(pn);
PdfContentsTokenizer tok(page);
const char* token = nullptr;
PdfVariant var;
EPdfContentsType type;
while (tok.ReadNext(type, token, var)) {
//etc.
But I got problem with PdfContentsTokenizer tok(page); It doesn't work properly. For some pdf files it goes smoothly and for the other it throws Access violation reading location error in inffas32.asm file, 669 line:
L_get_length_code_mmx:
pand mm4,mm0
movd eax,mm4
movq mm4,mm3
mov eax, [ebx+eax*4]//this is the error line
Btw, I noticed not every pdf file is coded in the same way. For example, using podofobrowser I couldn't see Hello World! text from the official podofo helloworld example. And for the others pdf files podofobrowser showed text in different ways or didn't show it at all.
Ad 1. The link to patch files
which allows to extraxt polish text from pdf using TextExtractor.
This is the most important line when it comes to extract non-unicode text from pdf:
PdfString unicode = pCurFont->GetEncoding()->ConvertToUnicode( rString, pCurFont );
Ad 2. The problem was zlib library which was built wrong. I rebuit it, rebuilt podofo and the problem is gone.