CodeSOD: WTFYou, Pay Me | Content Sky

Thursday, March 20, 2025

SSoftware Pundits

CodeSOD: WTFYou, Pay Me

Apr 23, 2020, Software Pundits

This post was originally published on this site

The Daily WTF

Julien’s employer has switched their payroll operations to a hosted solution. The hosted solution has some… interesting features. The fact that it has a “share” button, implying you can share your paystub infromation with other people is unusual (but good: keeping salaries confidential only helps management underpay their employees). More problematic is that this feature emails it, and instead of putting in an email address manually, you instead pick off a drop-down list- which contains the email of every user of the hosted system.

Seeing this, Julien had to take a peek at the code, just to see what other horrors might lurk in there.

Let’s open with some ugly regexes:

var regExtURL =/(http(s)?|ftp://.)?(www.)?[-a-zA-Z0-9@:%._+~#=]{2,256}.[a-z]{2,6}b([-a-zA-Z0-9@:%_+.~#?&//=]*)/; ///^(?:(?:https?|ftp)://)?[w.-]+(?:S+(?::S*)?@)?(?:(?!(?:0|127)(?:.d{1,3}){3})(?!(?:169.254|192.168)(?:.d{1,3}){2})(?!172.(?:1[6-9]|2d|3[0-1])(?:.d{1,3}){2})(?:[1-9]d?|1dd|2[01]d|22[0-3])(?:.(?:1?d{1,2}|2[0-4]d|25[0-5])){2}(?:.(?:[1-9]d?|1dd|2[0-4]d|25[0-4]))|(?:(?:[a-zu00a1-uffff0-9]-*)*[a-zu00a1-uffff0-9]+)(?:.(?:[a-zu00a1-uffff0-9]-*)*[a-zu00a1-uffff0-9]+)*(?:.(?:[a-zu00a1-uffff]{2,})).?)(?::d{2,5})?(?:[/?#]S*)?$/; function isValidURL(thisObj){ if (thisObj.value != ” && !regExtURL.test(thisObj.value)){ alert(‘Veuillez entrer une URL valide.’); return false; } }; var re = /^(([a-zA-Z0-9-_”+”]+(.[a-zA-Z]+)*)|(“.+”))@(([[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}])|([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})|(([a-zA-Z0-9])+(-[a-zA-Z0-9]+)*(.[a-zA-Z0-9-]+)*(.[a-zA-Z]{2,})+))$/; function isEmailKey(thisObj){ //var re = /^(([^<>()[].,;:s@”]+(.[^<>()[].,;:s@”]+)*)|(“.+”))@(([[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}])|(([a-zA-Z0-9]+.)+[a-zA-Z]{2,}))$/; //var re = /^(([^<>()[].,;:s@”]+(.[^<>()[].,;:s@”]+)*)|(“.+”))@(([[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}])|([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})|(([a-zA-Z0-9])+(-[a-zA-Z0-9]+)*(.[a-zA-Z0-9-]+)*(.[a-zA-Z]{2,})+))$/; if (thisObj.value !=

To read the full article click on the 'post' link at the top.

Date

Apr 23, 2020

Written By The Daily WTF