tags:

views:

467

answers:

4
Q: 

Cross site scripting(XSS)

I am loading content from another page and depending on the content of page, changing content of my page and this is giving me cross site scripting issues.

  1. When i use iframe, since the content is from other domain, content of iframe becomes inaccessible.
  2. When i use ajax and try to inject the content as plain html code, XmlHttpRequest object throws permission denied exception due to cross site scripting.
  3. When i use JSONP, such as getJSON in JQuery, it only supports GET protocol and it is not adequate for further processing.

I wonder what other options i can try. Heard that DOJO, GWT,Adobe Air do some XSS, but dont know which one is the best.

Thanks, Ebe.

+3  A: 

Without JSON-P, your only option is to run a proxy script on your own server that fetches the content from the external site and pipes it back to the browser.

The browser fetches the content from the script on your server, hence no cross-domain issues, but the script on your server dynamically fetches it from the external site.

There's an example of such a script in PHP here: http://www.daniweb.com/code/snippet494.html (NB. I haven't personally used it).

RichieHindle  2009-08-06 18:16:30
A: 

To add to what RichieHindle says, there are some good script (Python+Cron) that you can plonk on your server and it will check for changes to a POST/GET location and cache the changes on your server.

Either set your triggers low (once every 10 mins/ 1 per day) or you might get blacklisted from the target.

This way, a local cache won't incur the HTTP overhead on every AJAX call from the client.

Aiden Bell  2009-08-06 18:22:54
A: 

Thanks guys, the problem is i want to inject someone's page into someone else's page which is outside our domain and that is why the XmlHTTPObject is throwing an error. Surely there is an proxy and web service developed in C#. Any other options?

Thanks, Ebe

 2009-08-07 21:38:46
"i want to inject someone's page into someone else's page which is outside our domain" - that shouldnt be possible? if it is, it would be a security vulnerability!
Chii  2009-08-08 02:48:38
+1  A: 

If you have control over both domains, take a look at EasyXDM. It's a library which wraps cross-browser quirks and provides an easy-to-use API for communicating in client script between different domains using the best available mechanism for that browser (e.g. postMessage if available, other mechanisms if not).

Caveat: you need to have control over both domains in order to make it work (where "control" means you can place static files on both of them). But you don't need any server-side code changes.

Justin Grant  2010-05-04 17:53:14

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests