Все вопросы: [xss]

172 вопросов

похожие теги:
9
голосов
4ответов
3079 просмотров

Sanitize input XSS and HTML input in rails

I know I can use the ActionView helper strip_tags method in my views to sanitize output, but what is the best way to sanitize user input before I persist it to my db? Should I find a way to include the view helper in my controller and reuse the strip_tags method? I thought rails would have some...

5
голосов
3ответов
13893 просмотров

Synchronous cross sub-domain POST request with jQuery

I'm trying to do a cross domain POST request and have hit a wall (or two). I can't put a proxy page on the server - so that is not an option. I have researched getJSON, which works great except that I need to POST not GET. Is it possible to do this? If it is not, can someone explain to me how ...

0
голосов
1ответов
975 просмотров

ASP.NET User Controls, ObjectDataSources, and XSS

I am working on a web project which includes a user control (.ascx) which is housed in a repeater on the containing .aspx page. There is a DataList on the user control which is dynamically bound in the code behind. Such that the parent page/repeater assigns the data (a List) to a property on the ...

5
голосов
5ответов
1073 просмотров

How does Google Friend Connect accomplish cross domain communication without needing to upload a file to the client domain?

Previously, Google's Friend Connect required users to upload a couple of files to their websites to enable cross domain communication and Facebook Connect still requires you to upload a single file to enabled it. Now, Friend Connect doesn't require any file upload... I was wondering how they wer...

2
голосов
4ответов
4293 просмотров

Regex to remove onclick="" attributes from HTML elements in ASP.NET C# (Server-side)

I'm trying to write a regex function to remove onclick (also onload, onmouseover etc.) attributes from HTML elements. I want to do this on the server side before the HTML is sent to the client. I have content coming from a Rich Text editor and being displayed on screen in a div, and I want to pr...

1
голосов
4ответов
3167 просмотров

Regex to detect Javascript In a string

I am trying to detect JavaScript in my querystrings value. I have the following c# code private bool checkForXSS(string value) { Regex regex = new Regex(@"/((\%3C)|<)[^\n]+((\%3E)|>)/I"); if (regex.Match(value).Success) return true; return false; ...

1
голосов
3ответов
2508 просмотров

Executing Javascript in iFrame from Parent

Just a heads up I am a semi noob at JavaScript. So for the past two days I have been googleing and for the life of me I cannot figure out how to execute a function in an iframe from the parent page. The page in the iframe is on a different domain and the code to be executed is usually executed v...

1
голосов
1ответов
2549 просмотров

Ajax Control Toolkit Editor Control - avoiding XSS attacks

I noticed in this article that Microsoft does not recommend using the Editor control from the Ajax Control Toolkit in public sites because of the danger of cross-site scripting attacks. I tried it out, and even if you specifically set NoScript="true" it's possible to add script, and therefore, i...

2
голосов
3ответов
529 просмотров

IE8 XSS Filter Question

The IE8 cross site scripting filter seems to be causing some intermittent issues with our app. To be honest, I have not yet isolated it, and it may very well be some sort of IE8 add-on, or, some security software, but there seems to be at least some relationship to the new xss filter in IE8. I h...

6
голосов
1ответов
3337 просмотров

overriding GetSecurityId in IInternetSecurityManager

I have built an executable which launches a dialog box in which is embedded the IE web browser active-x control (C++). I want this control to allow cross site scripting. One frame on the web page loads local html, the other loads from a server. I then want the server page to call a javascript ...

2
голосов
3ответов
411 просмотров

Allow Javascript - protect against XSS? (unique scenario)

I'm in the process of building an application (a CMS to be more specific) which allows users to add Javascript to their content. There really is no way around allowing Javascript, and because of it, some security concerns are now becoming quite apparent. What we're mainly concerned about is cooki...

4
голосов
1ответов
1116 просмотров

Are Flex/Flash Based applications susceptible to XSS attacks? what are the various ways in which such attacks can happen?

Are Flex/Flash based applications susceptible to XSS attacks,what are the different ways in which the attack can happen and how to prevent/detect such attacks.

2
голосов
2ответов
903 просмотров

character encoding problem - cross-domain scripting

I have an Asp.Net web app which users include a script tag in their web page, and get data from my server (using JsonP & a Generic handler (ashx)) The data is in hebrew, and I set the charset to utf-8 in the response. When the client web site (which displays the data) uses "windows-1255" I...

0
голосов
1ответов
4617 просмотров

XSS attack in a window.open popup

We faced an XSS attack in an iframe which we ship to our customers. Owing to senstivity of iframes we decided to go for Window.open method. Below is a sample attached JS which sits in customer's space. Can anyone enlighten on how it is vulnerable to XSS <p> <script type="text/javascrip...

2
голосов
3ответов
3944 просмотров

how can I deactivate cross-site scripting defense on my own browser?

I want to load a page from a domain inside an iframe in another domain's page, and then access its content with JS. of course, this would be XSS so I'd get the "Permission denied to get property HTMLDocument..." error. The thing is, I want to do this on my own browser, not in a public access site...

3
голосов
3ответов
2311 просмотров

Avoiding XSS vulnerabilities - whitelist?

What are the best practices to prevent XSS vulnerabilities? A lot of people on here have mentioned whitelists which sounds like a good idea, but I see many people define the whitelist using a RegEx. This seems inherently flawed because it depends on many factors, the least of which is the RegEx...

2
голосов
2ответов
384 просмотров

How to handle XSS on NVelocity

Castle Project is full of features, includes some awesome subprojects, and developing with it has been a pleasure. My team is almost ready to deliver a custom made EAM and we are polishing our system. We tried some basic XSS attacks and guess: They all worked. Even though it will be running in ...

6
голосов
2ответов
1883 просмотров

Do I need to escape characters when sending emails?

I'm using Django Contact Form on a website to allow visitors to send emails. Currently, it's escaping characters, so single and double quotation marks are converted to ' and " respectively. The emails would be more readable if quotation marks were displayed as ' and ". I under...

2
голосов
1ответов
1174 просмотров

Texts/codes to test for XSS attacks in my software/website

Firstly, I do not have any malicious intent out of this question. I would like to know what text to copy paste and test in my text areas and text boxes to see if they are stripped correctly. Currently I use something as limited as: <script> alert('xss'); </script> <a href="www.te...

0
голосов
1ответов
550 просмотров

What is the difference between request by form submit and request by ajax?

I understand the basic ideas of XSS and same-origin-policy, so if your knee jerk reaction is to school me on the basics, you can jump ahead at least a half step... If javascript is client-side, at what point is an http request submitted via XMLHttpRequest distinguished from a user submitting a r...

3
голосов
1ответов
704 просмотров

Microsoft Anti-Cross Site Scripting Library

I'm evaluating the Microsoft Anti-Cross Site Scripting Library (AntiXSS V3) I have to say it seems to me that apart from providing a more comprehensive white list of acceptable characters, it's not really bringing anything to the party that a diligent programmer who encoded all his user/agent mo...

7
голосов
3ответов
2419 просмотров

Sanitize Markdown in Rails?

Users can edit "articles" in my application. Each article is mastered in the DB and sent to the client as Markdown -- I convert it to HTML client side with Javascript. I'm doing this so that when the user wants to edit the article he can edit and POST the Markdown right back to the server (since...

5
голосов
3ответов
963 просмотров

Cross-protocol XSS with non-standard service ports

He guys, I just read this post about really nasty (and cool at the same time) ways to perform XSS. However, there is still something unclear to me. I understand the full concept of the attack, however, I dont see how this can potentially be exploited. The "action" attribute inside the form must...

3
голосов
4ответов
2733 просмотров

Is my anti XSS method OK for allowing user HTML in PHP?

I am working on finding a good way to make user submitted data, in this case allow HTML and have it be as safe and fast as I can. I know EVERY SINGLE PERSON on this site seems to think http://htmlpurifier.org is the answer here. I do agree partially. htmlpurifier has the best open source cod...

1
голосов
1ответов
1592 просмотров

Prevent XSS attempts on a Tomcat/Struts 1 web application (without source code)

A 3rd party web application has a cross-scripting security issue. There is one page with three fields which are not sanitized. The vendor will not provide a timely fix and I need to. The application is running in Tomcat and uses Struts 1. The action for the bad page looks like this: <acti...

3
голосов
2ответов
1805 просмотров

Of HttpOnly and document.cookie

Searching for possible ways to get cookie with httpOnly enabled, I cannot find any. But then again, how do browser addons like Firebug, Add 'N Edit Cookie, etc. can get the cookies? Can't an attacker do the same? So my question is, is it really, really impossible to get cookie of httpOnly enable...

0
голосов
2ответов
1247 просмотров

Prevent Javascript in URL attacks (asp.net)

I've seen plenty of Cross-Site Scripting attack prevention suggestions, but I'm not asking about Form Input validation. How would I prevent something like this: javascript:(function(i,j){with(document){for(i=0;i<forms.length;++i){with(forms[i]){for(j=0;j<elements.length;++j){elements[j].di...

17
голосов
4ответов
14137 просмотров

What makes a good test string for testing web forms for unicode compatibility?

What test text do you try and type into your web forms to check that they handle all the edge cases properly (especially Unicode and XSS style problems). I am particularly interested in good Unicode strings that may do something odd if they are mis-encoded when they are displayed again. Text t...

42
голосов
10ответов
102153 просмотров

XSS filtering function in PHP

Does anyone know of a good function out there for filtering generic input from forms? Zend_Filter_input seems to require prior knowledge of the contents of the input and I'm concerned that using something like HTML Purifier will have a big performance impact. What about something like : http://s...

18
голосов
5ответов
21853 просмотров

Generating AntiForgeryToken in WebForms

I have a .NET Webforms site thanks needs to post to my MVC Application which currently sits inside the Webform site as a separate application. The Webform application need to POST some sensitive values to the MVC Application. Is there a way to generate a AntiForgeryToken() in my WebForms Applic...