MSGID: 2:221/1.58@fidonet f679aae1
PID: OpenXP/5.0.50 (Win32)
CHRS: ASCII 1
TZUTC: -0500
An eTransfer typically allows for entering a short message of  
up to 400 chars.  For a recent eTransfer, I found it important  
to enter something to reference the billing statement that I am  
paying for.  My typical message was something like this:

    This payment is for the "60-90 days" portion of the
    statement dated 11/15/21.

But that triggered an error message:

"There appears to be an error! All errors must be corrected
before continuing."

    Please enter a valid message. It must not exceed 400
    characters and contain only letters, numbers, and the
    characters . ! @ / ; : , ' = $ ^ ? * ( ). It must not
    contain the words http:, https:, www., javascript,
    function, return.

In this case it seemed that the quote char and the dash was not  
on the allowed list.  Now, I'm just wondering WHY would a quote  
or dash char need to be treated differently and excluded from a  
valid set?

Likewise, why would even a simple word like function or return  
be a problem for a message block?   When the system dedicates a  
400 char block for a message, why can't the system simply treat  
that content as a benign group of chars and ignore any  
"functionality" implied with http: https: or www, etc?

Could there be hacking vectors that haven't been solved in the  
eTransfer system?

--- OpenXP 5.0.50
 * Origin:  (2:221/1.58)
SEEN-BY: 1/123 14/0 90/1 103/705 105/81 120/340 123/131 124/5016 129/305
SEEN-BY: 153/757 154/10 203/0 221/1 6 360 226/30 227/114 702 229/424
SEEN-BY: 229/426 428 452 550 664 700 240/5138 5411 5824 5832 5853
SEEN-BY: 249/206 317 400 280/464 5003 282/1038 292/854 8125 301/1
SEEN-BY: 310/31 317/3 320/219 322/757 341/234 342/200 396/45 423/81
SEEN-BY: 423/120 633/280 712/848 770/1 2432/390 2452/250 2454/119
PATH: 221/1 280/464 240/5832 229/426