https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737049#M229734 <P>Does the SAS interpreter remove single quotes for values passed in parameters over the web?</P><P>&nbsp;</P><P>For example, using the sample intrnet application below and the following webrequest:&nbsp;<A href="https://sampleapplicationserver/cgi-bin/broker?_SERVICE=default&amp;_PROGRAM=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&amp;_ENTRY=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&amp;BGTYPE=COLOR&amp;BG=%23FFFFFF&amp;DATASET=SA'SHELP.RE'TAIL&amp;TEMPFILE=Unknown" target="_blank">https://sampleapplicationserver/cgi-bin/broker?_SERVICE=default&amp;_PROGRAM=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&amp;_ENTRY=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&amp;BGTYPE=COLOR&amp;BG=%23FFFFFF&amp;DATASET=SA'SHELP.RE'TAIL&amp;TEMPFILE=Unknown</A></P><P>&nbsp;</P><P>The 'SASHELP.RETAIL' dataset is still rendered correctly despite the addition of single quotes (SA'SHELP.RE'TAIL). I have also tried URL encoding these to %27 and it still has no affect.</P><P>&nbsp;</P><PRE>%global bg bgtype dataset style tmpstyle; %macro print_to_html; %if not %sysfunc(exist(&amp;dataset)) %then %do; data _null_; file _webout; put '&lt;HTML&gt;'; put '&lt;HEAD&gt;'; put '&lt;TITLE&gt;Missing Data Set&lt;/TITLE&gt;'; put '&lt;/HEAD&gt;'; bgtype = symget('bgtype'); if trim(upcase(bgtype))="COLOR" then put "&lt;BODY BGCOLOR=&amp;bg&gt;"; else if trim(upcase(bgtype))="IMAGE" then put '&lt;BODY BACKGROUND="' "&amp;bg" '"&gt;'; else put '&lt;BODY&gt;'; put '&lt;H1&gt;Missing Data Set&lt;/H1&gt;'; put "Data set &amp;dataset not found."; put '&lt;/BODY&gt;'; put '&lt;/HTML&gt;'; run; %goto done; %end; %if &amp;style ne %then %let tmpstyle=style=styles.&amp;style; %else %if %UPCASE(&amp;bgtype) eq COLOR %then %do; ods path work.templat(update) sasuser.templat(read) sashelp.tmplmst(read); proc template; define style tmpstyle; parent=styles.default; style body from body / background=&amp;bg; style systemtitle from systemtitle / background=&amp;bg; style systemfooter from systemfooter / background=&amp;bg; style systitleandfootercontainer from systitleandfootercontainer / background=&amp;bg; end; run; %let tmpstyle=style=tmpstyle; %end; %else %if %UPCASE(&amp;bgtype) eq IMAGE %then %do; ods path work.templat(update) sasuser.templat(read) sashelp.tmplmst(read); proc template; define style tmpstyle; parent=styles.default; style body from body / backgroundimage="&amp;bg"; end; run; %let tmpstyle=style=tmpstyle; %end; %else %let tmpstyle=; ods html &amp;tmpstyle body=_webout rs=none; title "Data Set &amp;dataset in HTML Format"; proc print data=&amp;dataset; run; ods html close; %done: %mend print_to_html; * HTML encode vulnerable values to prevent XSS injection; data _null_; call symputx('BG', htmlencode(symget('bg'))); call symputx('DATASET', htmlencode(symget('dataset'))); run; %print_to_html; &nbsp;</PRE><P>&nbsp;</P> Mon, 26 Apr 2021 16:46:07 GMT test110 2021-04-26T16:46:07Z https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737049#M229734 <P>Does the SAS interpreter remove single quotes for values passed in parameters over the web?</P><P>&nbsp;</P><P>For example, using the sample intrnet application below and the following webrequest:&nbsp;<A href="https://sampleapplicationserver/cgi-bin/broker?_SERVICE=default&amp;_PROGRAM=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&amp;_ENTRY=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&amp;BGTYPE=COLOR&amp;BG=%23FFFFFF&amp;DATASET=SA'SHELP.RE'TAIL&amp;TEMPFILE=Unknown" target="_blank">https://sampleapplicationserver/cgi-bin/broker?_SERVICE=default&amp;_PROGRAM=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&amp;_ENTRY=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&amp;BGTYPE=COLOR&amp;BG=%23FFFFFF&amp;DATASET=SA'SHELP.RE'TAIL&amp;TEMPFILE=Unknown</A></P><P>&nbsp;</P><P>The 'SASHELP.RETAIL' dataset is still rendered correctly despite the addition of single quotes (SA'SHELP.RE'TAIL). I have also tried URL encoding these to %27 and it still has no affect.</P><P>&nbsp;</P><PRE>%global bg bgtype dataset style tmpstyle; %macro print_to_html; %if not %sysfunc(exist(&amp;dataset)) %then %do; data _null_; file _webout; put '&lt;HTML&gt;'; put '&lt;HEAD&gt;'; put '&lt;TITLE&gt;Missing Data Set&lt;/TITLE&gt;'; put '&lt;/HEAD&gt;'; bgtype = symget('bgtype'); if trim(upcase(bgtype))="COLOR" then put "&lt;BODY BGCOLOR=&amp;bg&gt;"; else if trim(upcase(bgtype))="IMAGE" then put '&lt;BODY BACKGROUND="' "&amp;bg" '"&gt;'; else put '&lt;BODY&gt;'; put '&lt;H1&gt;Missing Data Set&lt;/H1&gt;'; put "Data set &amp;dataset not found."; put '&lt;/BODY&gt;'; put '&lt;/HTML&gt;'; run; %goto done; %end; %if &amp;style ne %then %let tmpstyle=style=styles.&amp;style; %else %if %UPCASE(&amp;bgtype) eq COLOR %then %do; ods path work.templat(update) sasuser.templat(read) sashelp.tmplmst(read); proc template; define style tmpstyle; parent=styles.default; style body from body / background=&amp;bg; style systemtitle from systemtitle / background=&amp;bg; style systemfooter from systemfooter / background=&amp;bg; style systitleandfootercontainer from systitleandfootercontainer / background=&amp;bg; end; run; %let tmpstyle=style=tmpstyle; %end; %else %if %UPCASE(&amp;bgtype) eq IMAGE %then %do; ods path work.templat(update) sasuser.templat(read) sashelp.tmplmst(read); proc template; define style tmpstyle; parent=styles.default; style body from body / backgroundimage="&amp;bg"; end; run; %let tmpstyle=style=tmpstyle; %end; %else %let tmpstyle=; ods html &amp;tmpstyle body=_webout rs=none; title "Data Set &amp;dataset in HTML Format"; proc print data=&amp;dataset; run; ods html close; %done: %mend print_to_html; * HTML encode vulnerable values to prevent XSS injection; data _null_; call symputx('BG', htmlencode(symget('bg'))); call symputx('DATASET', htmlencode(symget('dataset'))); run; %print_to_html; &nbsp;</PRE><P>&nbsp;</P> Mon, 26 Apr 2021 16:46:07 GMT https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737049#M229734 test110 2021-04-26T16:46:07Z https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737053#M229737 <P>A few helpful functions can escape special characters in URLs and in HTML. If appearing in a URL, use urlencode. If you need to encode in HTML body, use htmlencode.</P> <P>&nbsp;</P> <TABLE width="828"> <TBODY> <TR> <TD width="192px"> <P><A href="http://go.documentation.sas.com/?docsetId=lefunctionsref&amp;docsetTarget=n0y10oliwg3voun100txgmy6d1g3.htm&amp;docsetVersion=9.4&amp;locale=en">HTMLDECODE Function</A>&nbsp;&nbsp;</P> </TD> <TD width="635px"> <P>Decodes a string that contains HTML numeric character references or HTML character entity references and returns the decoded string.</P> </TD> </TR> <TR> <TD width="192px"> <P><A href="http://go.documentation.sas.com/?docsetId=lefunctionsref&amp;docsetTarget=n0cm3nfzxlg3iwn1myjzv3t8rt8j.htm&amp;docsetVersion=9.4&amp;locale=en">HTMLENCODE Function</A>&nbsp;&nbsp;</P> </TD> <TD width="635px"> <P>Encodes characters using HTML character entity references and returns the encoded string.</P> </TD> </TR> <TR> <TD width="192px"> <P><A href="http://go.documentation.sas.com/?docsetId=lefunctionsref&amp;docsetTarget=p05qscijn2kj30n1ofetqnn8abob.htm&amp;docsetVersion=9.4&amp;locale=en">URLDECODE Function</A>&nbsp;&nbsp;</P> </TD> <TD width="635px"> <P>Returns a string that was decoded using the URL escape syntax.</P> </TD> </TR> <TR> <TD width="192px"> <P><A href="http://go.documentation.sas.com/?docsetId=lefunctionsref&amp;docsetTarget=p19ckwqexa3ir8n19hbvcz73lhmj.htm&amp;docsetVersion=9.4&amp;locale=en">URLENCODE Function</A>&nbsp;&nbsp;</P> </TD> <TD width="635px"> <P>Returns a string that was encoded using the URL escape syntax.</P> <P>From: urlencode(%str(<STRONG>ga:sessions,ga:pageviews,ga:users</STRONG>));</P> <P>To:&nbsp; &nbsp;&nbsp;<STRONG>ga%3Asessions,ga%3Apageviews,ga%3Ausers</STRONG></P> </TD> </TR> <TR> <TD width="192px"> <P>%str(&amp;)</P> </TD> <TD width="635px"> <P>Prevent SAS from interpreting “&amp;” in a URL as a macro variable.<BR />&nbsp;in="custname=Joe%str(&amp;)size=large%str(&amp;)topping=cheese"</P> <P>Avoids "WARNING: Apparent symbolic reference TOPPING not resolved."</P> </TD> </TR> </TBODY> </TABLE> Mon, 26 Apr 2021 16:58:52 GMT https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737053#M229737 ChrisHemedinger 2021-04-26T16:58:52Z https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737056#M229738 <P>Chris, thanks for the reply. I guess my question is, without modifying the previously provided code, why are the single quotes not being interpreted? Other URL encoded symbol characters such as the equal sign, question mark, etc are interpreted correctly, however, single quotes and percent signs appear to have no affect on the values.&nbsp;&nbsp;</P> Mon, 26 Apr 2021 17:09:37 GMT https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737056#M229738 test110 2021-04-26T17:09:37Z https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737058#M229739 <BLOCKQUOTE><HR /><a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/375003">@test110</a>&nbsp;wrote:<BR /> <P>Chris, thanks for the reply. I guess my question is, without modifying the previously provided code, why are the single quotes not being interpreted? Other URL encoded symbol characters such as the equal sign, question mark, etc are interpreted correctly, however, single quotes and percent signs appear to have no affect on the values.&nbsp;&nbsp;</P> <HR /></BLOCKQUOTE> <P>Please highlight or extract the lines you expect to be using text with single quotes. I cannot tell where you are expecting them to come from or be used.</P> Mon, 26 Apr 2021 17:30:17 GMT https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737058#M229739 ballardw 2021-04-26T17:30:17Z https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737060#M229741 <P>&nbsp;</P><P>Please see below for the highlighted (in red) lines-</P><P>For the URL portion:&nbsp;<FONT color="#000000">&amp;DATASET=SA%27SHELP.RE%27TAIL</FONT></P><P>For the code portion: line 4 (&amp;dataset)</P><P>&nbsp;</P><P>Also, here is the full URL that is being used (it appears it got cut off earlier in the post):</P><P>&nbsp;</P><P>https://sampleapplicationserver/cgi-bin/broker?_SERVICE=default&amp;_PROGRAM=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&amp;_ENTRY=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&amp;BGTYPE=COLOR&amp;BG=%23FFFFFF<FONT color="#FF0000"><STRONG>&amp;DATASET=SA%27SHELP.RE%27TAIL</STRONG></FONT>&amp;TEMPFILE=Unknown</P><P>&nbsp;</P><PRE>%global bg bgtype dataset style tmpstyle; %macro print_to_html; %if not %sysfunc(exist(<STRONG><FONT color="#FF0000">&amp;dataset</FONT></STRONG>)) %then %do; data _null_; file _webout; put '&lt;HTML&gt;'; put '&lt;HEAD&gt;'; put '&lt;TITLE&gt;Missing Data Set&lt;/TITLE&gt;'; put '&lt;/HEAD&gt;'; bgtype = symget('bgtype'); if trim(upcase(bgtype))="COLOR" then put "&lt;BODY BGCOLOR=&amp;bg&gt;"; else if trim(upcase(bgtype))="IMAGE" then put '&lt;BODY BACKGROUND="' "&amp;bg" '"&gt;'; else put '&lt;BODY&gt;'; put '&lt;H1&gt;Missing Data Set&lt;/H1&gt;'; put "Data set &amp;dataset not found."; put '&lt;/BODY&gt;'; put '&lt;/HTML&gt;'; run; %goto done; %end; %if &amp;style ne %then %let tmpstyle=style=styles.&amp;style; %else %if %UPCASE(&amp;bgtype) eq COLOR %then %do; ods path work.templat(update) sasuser.templat(read) sashelp.tmplmst(read); proc template; define style tmpstyle; parent=styles.default; style body from body / background=&amp;bg; style systemtitle from systemtitle / background=&amp;bg; style systemfooter from systemfooter / background=&amp;bg; style systitleandfootercontainer from systitleandfootercontainer / background=&amp;bg; end; run; %let tmpstyle=style=tmpstyle; %end; %else %if %UPCASE(&amp;bgtype) eq IMAGE %then %do; ods path work.templat(update) sasuser.templat(read) sashelp.tmplmst(read); proc template; define style tmpstyle; parent=styles.default; style body from body / backgroundimage="&amp;bg"; end; run; %let tmpstyle=style=tmpstyle; %end; %else %let tmpstyle=; ods html &amp;tmpstyle body=_webout rs=none; title "Data Set &amp;dataset in HTML Format"; proc print data=&amp;dataset; run; ods html close; %done: %mend print_to_html; * HTML encode vulnerable values to prevent XSS injection; data _null_; call symputx('BG', htmlencode(symget('bg'))); call symputx('DATASET', htmlencode(symget('dataset'))); run; %print_to_html; &nbsp;</PRE><P>&nbsp;</P> Mon, 26 Apr 2021 17:36:06 GMT https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737060#M229741 test110 2021-04-26T17:36:06Z https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737070#M229742 <P>Your code does not show where the value of &amp;dataset is set. So we cannot tell what the actual value of the variable &amp;dataset holds. Since you are using the SAS function Exist it is very likely that the data set parameter does not have any quotes because that will generate an error:</P> <PRE>52 %let dataset= sas'help.cla'ss; ---------- 49 NOTE 49-169: The meaning of an identifier after a quoted string might change in a future SAS release. Inserting white space between a quoted string and the succeeding identifier is recommended. 53 %put Sysfunc result is: %sysfunc(exist(&amp;dataset)) ; NOTE: Line generated by the macro variable "DATASET". 1 sas'help.cla'ss ---------- 49 Sysfunc result is: 0 NOTE 49-169: The meaning of an identifier after a quoted string might change in a future SAS release. Inserting white space between a quoted string and the succeeding identifier is recommended. </PRE> <P>The 0 result means the data set doesn't exist.</P> <P>&nbsp;</P> <P>The data set sashelp.class does exist as shown here:</P> <PRE>54 %let dataset= sashelp.class; 55 %put Sysfunc result is: %sysfunc(exist(&amp;dataset)) ; Sysfunc result is: 1 </PRE> <P>The form of data set names that would be acceptable to the Exist function would be 'some non-standard name'n. No quotes in the middle, the entire name would have to be within quotes and have an n following. So your EXIST always fails. and not of that header information gets by the data _null_ step.</P> <P>&nbsp;</P> <P>Or perhaps you need to run the code with OPTIONS MPRINT and examine what is being generated in your macro.</P> Mon, 26 Apr 2021 17:53:28 GMT https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737070#M229742 ballardw 2021-04-26T17:53:28Z https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737077#M229745 <P>The value is being retrieved from the URL request here, with the actual value highlighted in red:</P><P>&nbsp;</P><P><SPAN>https://sampleapplicationserver/cgi-bin/broker?_SERVICE=default&amp;_PROGRAM=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&amp;_ENTRY=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&amp;BGTYPE=COLOR&amp;BG=%23FFFFFF</SPAN><FONT color="#FF0000"><STRONG>&amp;DATASET=SA%27SHELP.RE%27TAIL</STRONG></FONT><SPAN>&amp;TEMPFILE=Unknown</SPAN></P><P>&nbsp;</P><P>Just to reiterate, the %27 (single quotes) are not making it to the actual 'dataset' value, that it my question. Why are the single quotes not being interpreted? Other symbols, like:&nbsp;@$() seem to be interpreted alright, but the single quotes and percent signs, when passed in URL parameters do not get interpreted.&nbsp;&nbsp;</P> Mon, 26 Apr 2021 18:00:24 GMT https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737077#M229745 test110 2021-04-26T18:00:24Z https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737079#M229747 <P>So the app broker seems to be "cleaning" them out?&nbsp;<a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/13635">@Vince_SAS</a>&nbsp;may be able to shed some light.</P> Mon, 26 Apr 2021 18:17:22 GMT https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737079#M229747 ChrisHemedinger 2021-04-26T18:17:22Z https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737090#M229751 <P><FONT face="verdana,geneva">The quotation marks are stripped from the input parameter to prevent cross-site scripting code injections:</FONT></P> <P>&nbsp;</P> <P><FONT face="verdana,geneva"><STRONG>SAS/IntrNet 9.4: Application Dispatcher &gt; PROC APPSRV Statement &gt; UNSAFE='string'</STRONG></FONT></P> <P><FONT face="verdana,geneva"><A href="https://go.documentation.sas.com/doc/en/dispatch/9.4/n08ru77fqa1k2kn17p6oq9abvl0h.htm#n0ad6r9wll3y50n1hoxa7an2c4bc" target="_blank">https://go.documentation.sas.com/doc/en/dispatch/9.4/n08ru77fqa1k2kn17p6oq9abvl0h.htm#n0ad6r9wll3y50n1hoxa7an2c4bc</A></FONT></P> <P>&nbsp;</P> <P>If you have a good reason to access the value that was passed in, including the quotation marks, you can use the APPSRV_UNSAFE function:</P> <P>&nbsp;</P> <P><STRONG>SAS/IntrNet 9.4: Application Dispatcher &gt; Development Tasks &gt; Application Server Functions &gt; APPSRV_UNSAFE Function</STRONG></P> <P><A href="https://go.documentation.sas.com/doc/en/dispatch/9.4/n0gc4breypvrrzn1jfsuk607bcp2.htm" target="_blank">https://go.documentation.sas.com/doc/en/dispatch/9.4/n0gc4breypvrrzn1jfsuk607bcp2.htm</A></P> <P>&nbsp;</P> <P>But it's called "unsafe" for a reason.&nbsp; You can read a little more about the cautions of using it in the SAS Viya documentation.</P> <P>&nbsp;</P> <P><STRONG>SAS 9.4 and SAS Viya 3.5 Programming Documentation &gt; DATA Step Programming &gt; Functions and CALL Routines &gt; Dictionary of Functions and CALL Routines &gt; COMPSRV_OVAL Function</STRONG></P> <P><A href="https://go.documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/lefunctionsref/p0nj8y96j7l6cun1oholejcecm4x.htm" target="_blank">https://go.documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/lefunctionsref/p0nj8y96j7l6cun1oholejcecm4x.htm</A></P> <P>&nbsp;</P> <P><FONT face="verdana,geneva">Vince DelGobbo</FONT></P> <P><FONT face="verdana,geneva">SAS R&amp;D</FONT></P> Mon, 26 Apr 2021 19:17:57 GMT https://communities.sas.com/t5/SAS-Programming/Proper-encoding-of-Symbols-passed-to-SAS-over-the-Web/m-p/737090#M229751 Vince_SAS 2021-04-26T19:17:57Z