Hi, we’re using scriptcase behind a WAF and we’ve noticed some unusual triggers caused due to specific character occurences in the Csrf token served by scriptcase.
Found the function definition below in every application_name_apl.php file
function scCsrfGenerateToken() { $aSources = array( 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', '1234567890', '!@$*()-_[]{},.;:' ); ... ... }
The usage of these characters sometimes results in the token being matched with a SQLi regex.
Anyways, I think it would be good practice to not include these chars to prevent such integration issues and anyways CSRF tokens are recommended to be generated with letters and numbers. Atleast an option to allow the user to specify the allowed chars would be useful otherwise.
Also, if you guys have any suggestions as to how to workaround this thing do let me know because the function is defined redundantly in every generated applicaiton_name_apl.php.