sanitization

display HTML content from database with formatting in it

Hi all, I have used wmd-editor in my cakephp v1.3 application. The config which I have written is as follows: wmd_options = { output: "HTML", lineLength: 40, buttons: "bold italic | link blockquote code image | ol ul heading hr", autostart: true }; When I submit the form ...

Skip sanitization for videos in html5lib

I am using a wmd-editor in django, much like this one in which I am typing. I would like to allow the users to embed videos in it. For that I am using the Markdown video extension here. The problem is that I am also sanitizing user input using html5lib sanitization and it doesn't allow object tags which are required to embed the videos. ...

Function to sanitize input values PHP

I use this: function safeClean($n) { $n = trim($n); if(get_magic_quotes_gpc()) { $n = stripslashes($n); } $n = mysql_escape_string($n); $n = htmlentities($n); return $n; } To prevent any type of MySQL injection or anything like that. Whenever I use it to wrap around $_POST like this: $username ...

Regular Expression Sanitize (PHP)

Hello, I would like to sanitize a string in to a URL so this is what I basically need. Everything must be removed except alphanumeric characters and spaces and dashed. Spaces should be converter into dashes. Eg. This, is the URL! must return this-is-the-url Thanks ...

Preventing LDAP injection

I am working on my first desktop app that queries LDAP. I'm working in C under unix and using opends, and I'm new to LDAP. After woking a while on that I noticed that the user could be able to alter the LDAP query by injecting malicious code. I'd like to know which sanitizing techniques are known, not only for C/unix development but in m...

Removing any html/formatting/ect from text string as it is pasted, via Javascript/JQuery?

Not sure if this is possible across all modern browsers, but is there any way, using javascript/jquery to remove all html tags, css formatting, word doc format codes, ect. from a string of text as it is being pasted into an input area of a page (in my case an element set as "contenteditable), so it always goes in as just pure plaintext? ...

RubyRails: Mixing Sanitize and Truncate can be a dirty thing..

So stand alone I get what I need. But I want to truncate it, my dynamic text comes out with dirty text globbered with Microsoft Word garbage. An Example : ≪! [If Gte Mso 9]>≪Xml> ≪Br /> ≪O:Office Document Settings> ≪Br /> ≪O:Allow Png/> ≪Br /> ≪/O:Off... So how do I get the best of both worlds? Is there a s...

Are input sanitization and parameterized queries mutually exclusive?

I'm working updating some legacy code that does not properly handle user input. The code does do a minimal amount of sanitization, but does not cover all known threats. Our newer code uses parameterized queries. As I understand it, the queries are precompiled, and the input is treated simply as data which cannot be executed. In that cas...

What are the best PHP input sanitizing functions?

I am very new to PHP/programming, with that in mind I am trying to come up with a function that I can pass all my strings through to sanatize. So that the string that comes out of it will be safe for database insertion. But there are so many filtering functions out there I am not sure which ones I should use/need. Please help me fill in ...

SQLITE and iPhone Input Sanitisation

Hi there, We are making our very first iPhone game, and if the user gets a high score then we need to let them enter their name to store it in the high-scores database inside the app. What I was wondering is how do we go about sanitising the input on the iPhone. Obviously we don't want them dropping tables when inputting their name! C...

Sanitize user input for display and allow all characters?

I need to be able to safely display user inputted text in the DOM and I'm currently using the following JS to do that (it limits what characters are accepted). But, now I'd like to allow all characters. How can I accept all characters, but encode them so that the user cannot execute a script or do anything bad. function displayUserInpu...

Is there a good Javascript based HTML parsing library available?

My goal is to take HTML entered by an end user, remove certain unsafe tags like <script>, and add it to the document. Does anybody know of a good Javascript library to sanitize html? I searched around and found a few online, including John Resig's HTML parser, Erik Arvidsson's simple html parser, and Google's Caja Sanitizer, but I haven...

Ruby's Truncate unsanitizes MS Word code..

Curious if anyone ever noticed this, but I have a WYSIWYG that users occassionally paste from word into. There is a word sanitizer, but not everyone's a genius. If I parse that text somewhere else, it comes out right. But if I truncate it, then the msword code appears. Does anyone know why truncate unsanitizes this || does anyone know ...

Sanitize user defined CSS in PHP

I want to allow users to use their own stylesheets for thei profiles on my forum, but I'm afraid of possible security vulnerabilities. Does anyone have any tips for sanitizing CSS? Basic process: User enters CSS into form -> Save to DB -> Output as inline CSS ...

Help with applying exception in preg_replace

Hello How can I can I allow only digit [^0-9] and a minus sign in front the digit. Example : Valid = -1...-9, Invalid = --1-... ...

PHP sanitization question.

Is it safe if I just use htmlpurifier for some of my user submitted data so they can enter html code like myspace? http://htmlpurifier.org/ Here is a sample code of PHP and htmlpurifier. $purifier->purify($content); ...

ASP.NET - A practical guide to the sanitization of user input

I've spent most of my career writing applications for consumption within small to medium sized organizations. In those roles, I'd relied on regular expressions to validate the user's input (e.g. email, zipcode, phone # or to find and remove unwanted markup) and the AntiXSS library to protected against cross site scripting attacks. Aft...

How to sanitize HTML code in Java to prevent XSS attacks?

I'm looking for class/util etc. to sanitize HTML code i.e. remove dangerous tags, attributes and values to avoid XSS and similar attacks. I get html code from rich text editor (e.g. TinyMCE) but it can be send malicious way around, ommiting TinyMCE validation ("Data submitted form off-site"). Is there anything as simple to use as Input...

Help with preg_replace and special chars

Hello, I'm using the PDO class but I'm triying to remove all chars except...: function cleaner($str){ return preg_replace('/[^a-zA-Z0-9éàêïòé\,\.\']/',' ',trim($str)); } As you can see, it's a simple function, but it removes all chars éàêïòé example: cleaner('$#$<<>-//La souris a été mangée par le chat ') //returns La souris a...

Securely deleting/wiping MySQL data from hard disk

We're running MySQL 5.1 on CentOS 5 and I need to securely wipe data. Simply issuing a DELETE query isn't an option, we need to comply with DoD file deletion standards. This will be done on a live production server without taking MySQL down. Short of taking the server down and using a secure deletion utility on the DB files is there a wa...