SCO 2012: Best Practice – Inserting user input safely into Run .Net Script Activity


after a good discussion at TechNet (Read here), i think we have reached a solution that works.


When we are running PowerShell in Orchestrator using published data we insert it directly into the script.

This means that part of the input can contain characters that is able to run malicious code, or just break the script.

f.x. if we use double quotes (") around the input, and the input contains a double quote, it will break the script.



Use single quote here-string and make sure that your syntax follows this example:


[System.String] $retrievedUserInput=@’
<insert space><insert published data here>
$input = $input.Substring(1)

The important part is to use the single quote here string and make sure to insert and extra space before the published data


you can more info about here strings here

(Notice: This is my own suggestion of best practice)

By | 2013-04-15T14:04:18+00:00 April 15th, 2013|Automation, Powershell, Scripting & Development|1 Comment

About the Author:

Jakob Gottlieb Svendsen

Twitter: @JakobGSvendsen

Jakob Gottlieb Svendsen is a Microsoft Cloud and Data Center Management MVP (, Working as Global Lead Developer, Senior Consultant and Trainer at CTGlobal, where he is one of the driving forces in keeping CTGlobal a System Center Gold Partner and member of the System Center Alliance.

Since he started at Coretech in 2007, he has focused on Scripting and Development, primarily developing tools, extensions and scripts for the System Center Suite. His main area is Automation (including OMS/Azure Automation, Service Management Automation, PowerShell and Orchestrator). Another area is Windows Azure Pack / Azure Stack, where he does implementation, development, workshops and presentations. He is a world-wide renowned voice in the Automation field.

He is passionately devoted to the community, to which he contributes by being a moderator at TechNet and sharing his knowledge at

  • Co-founder: PowerShell User Group Denmark
  • Speaker at MMS 2016, Minneapolis (
  • SCU Europe 2014, 2015, 2016 (
  • Microsoft TechEd North America 2014, Houston
  • NIC 2012,2013,2014,2015, Oslo (
  • Microsoft CampusDays 2011, 2013, Copenhagen
  • Microsoft TechDays 2015, Sweden (
  • Microsoft Partner Event: New in SC2012 SP1
  • User group meetings (PSUG.DK , SCUG.DK/BE/NO, AZMUG + more)
  • Microsoft Certified Trainer.
  • Microsoft Scripting Guys Forum Moderator

Main working areas:

  • Automation (Azure Automation, SMA, SCO)
  • Windows Azure Pack / Azure Stack
  • System CenterVisual Studio Team Services / Team Foundation Server
  • Development:C#.Net, VB.NET, VBScript, PowerShell, Service Manager, OpsMgr, ConfigMgr
  • Orchestrator
  • Windows Azure Pack / Azure Stack


  • Azure Automation
  • Service Management Automation
  • System Center Orchestrator
  • PowerShell, VBScript, C#.Net, VB.Net
  • Windows Azure Pack / Azure Stack Development Workshops

One Comment

  1. Deepak February 5, 2018 at 15:05 - Reply

    Hi Jakob

    Thanks for sharing the information. but this does not really solve all crafted input. This one can still run.

    $string = @’
    ‘@; get-service;sfasdfa
    ‘@ ; get-service ; @’

    input publish data could not line break and next line they could close the ‘@; before issuing the injected statement.


Leave A Comment