When we went through our SOC II we did the following.
Set these settings.
1. CheckFormId = true
2. CheckSameUA = true
3. CookieHttpOnly = true
4. CookieSecure = true
5. SessionCookies = true
6. UniqueURL = true
7. UseCookies = true
I think what you are really looking for is something like this on the servercontroller for parsing the parameters.
procedure TController.IWServerControllerBaseParseParameter(var AParam: string;
var AllowIt: Boolean; const Index: Integer);
var
n : integer;
begin
//We are going to stop all parameters unless we need to check for a certain param
//https://www.atozed.com/forums/thread-1681.html
if CCAppParams.ApplicationParams.URLStartParams.URLStartParamAllowList <> '' then
begin
Paramcriticalsection.Acquire;
try
for n := 0 to ParamStringList.count-1 do
begin
if (Copy(uppercase(AParam),1,POS('=',uppercase(AParam))-1) = uppercase(ParamStringList[n])) then
begin
AllowIt := True;
exit;
end else
begin
AllowIt := False;
end;
end;
finally
Paramcriticalsection.release;
end;
end else
begin
AllowIt := False;
exit;
end;
// if ContainsText(AParam, '<svg') then
// AllowIt := False;
//
////This fixes an issue with a cross scripting possibility in versions at or prior to 5.2.18 and only with firefox
////https://www.atozed.com/forums/thread-2034.html
// if ContainsText(AParam, 'onbeforescriptexecute') then
// AllowIt := False;
if ((ContainsText(AParam, 'onbeforescriptexecute')) or
(ContainsText(AParam, 'onafterscriptexecute'))) then
AllowIt := False;
end;
Set these settings.
1. CheckFormId = true
2. CheckSameUA = true
3. CookieHttpOnly = true
4. CookieSecure = true
5. SessionCookies = true
6. UniqueURL = true
7. UseCookies = true
I think what you are really looking for is something like this on the servercontroller for parsing the parameters.
procedure TController.IWServerControllerBaseParseParameter(var AParam: string;
var AllowIt: Boolean; const Index: Integer);
var
n : integer;
begin
//We are going to stop all parameters unless we need to check for a certain param
//https://www.atozed.com/forums/thread-1681.html
if CCAppParams.ApplicationParams.URLStartParams.URLStartParamAllowList <> '' then
begin
Paramcriticalsection.Acquire;
try
for n := 0 to ParamStringList.count-1 do
begin
if (Copy(uppercase(AParam),1,POS('=',uppercase(AParam))-1) = uppercase(ParamStringList[n])) then
begin
AllowIt := True;
exit;
end else
begin
AllowIt := False;
end;
end;
finally
Paramcriticalsection.release;
end;
end else
begin
AllowIt := False;
exit;
end;
// if ContainsText(AParam, '<svg') then
// AllowIt := False;
//
////This fixes an issue with a cross scripting possibility in versions at or prior to 5.2.18 and only with firefox
////https://www.atozed.com/forums/thread-2034.html
// if ContainsText(AParam, 'onbeforescriptexecute') then
// AllowIt := False;
if ((ContainsText(AParam, 'onbeforescriptexecute')) or
(ContainsText(AParam, 'onafterscriptexecute'))) then
AllowIt := False;
end;