Hi August,
On 2021-11-16 18:52:00, you wrote to All:
An eTransfer typically allows for entering a short message of
up to 400 chars. For a recent eTransfer, I found it important
to enter something to reference the billing statement that I am
paying for. My typical message was something like this:
This payment is for the "60-90 days" portion of the
statement dated 11/15/21.
But that triggered an error message:
"There appears to be an error! All errors must be corrected
before continuing."
Please enter a valid message. It must not exceed 400
characters and contain only letters, numbers, and the
characters . ! @ / ; : , ' = $ ^ ? * ( ). It must not
contain the words http:, https:, www., javascript,
function, return.
In this case it seemed that the quote char and the dash was not
on the allowed list. Now, I'm just wondering WHY would a quote
or dash char need to be treated differently and excluded from a
valid set?
Likewise, why would even a simple word like function or return
be a problem for a message block? When the system dedicates a
400 char block for a message, why can't the system simply treat
that content as a benign group of chars and ignore any
"functionality" implied with http: https: or www, etc?
I suspect it's a standard the banks involved agreed about for this message. It's handled by all kinds of systems at multiple banks, probably all over the world. So it's probably a "better safe then sorry" messure, because there isn't 1 authority that checks and oversees the development of all these systems. That's handled by the IT departments of the individual banks.
Could there be hacking vectors that haven't been solved in the
eTransfer system?
With so many systems involved you never know if somewhere there is an undiscovered bug lurking in one of them. It's probably wise to assume there are more then one... So it's also wise to prevent them from being triggered by having a strict "front gate".
Bye, Wilfred.
--- FMail-lnx64 2.1.0.18-B20170815
* Origin: FMail development HQ (2:280/464)
