Are there any problems with what I am doing here? This is my first time to deal with something like this and I just want to make sure I understand all the risks etc. to different methods. I am using WMD to get user input and I am displaying it with a Literal control. Since it is uneditable once entered I will be storing the HTML and no...
Hi, Is it possible to run executable files in google app engine? Like by using Runtime.exec? There is whitelist on google app engine documentation which list classes that can be used but functions/ inside the classes are not specified. Thanks! ...
I just signed up for google apps a week or so ago and so far I'm liking it. I have a bit of a situation that I can't figure out on my own however. I want to be able to use google's smtp for my web sites that are hosted on a server I have co-located at my local ISP. Unfortunately I can't use smtp authentication as the apps I'm using do...
I am writing a container framework that can dynamically deploy a Jar file containing user developed classes in the container, and then using a web interface execute certain classes from the Jar file. Everything else is well set, including the validations. However, a requirement is to only allow access to certain JDK and other library c...
Does anyone have any documentation on DotNetOpenAuth and the way it handles while lists and black lists? My config <untrustedWebRequest> <blacklistHosts> <add name="*" /> </blacklistHosts> <whitelistHosts> <add name="www.mysite.ca" /> <add name="mysite.ca" /> <add name="devel...
I've often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input? How many sneaky HTML tricks are there to open XSS vulnerabilities? Obviously script tags and frames are not allowed, and a whitelist would be used on the fields in HTML elements, but why disallow most of everything? ...
I'm building a user content parser and am adding an automatic link parser. I'm adding a dialogue, that confirms that the user wants to go to the particular site being linked to. This is for two reasons. Anti phishing and spam combating. However I want to be able to disable both the dialogue and nofollow additions with commonly used websi...
What are the processes I need to go through to make sure emails sent from my web server are not rejected as spam? This question is for legitimate site emails that members have requested like a daily newsletter which is generated and run in a nightly process, as well as confirmation emails. Some of the ideas I've heard are: Making sur...
Hello all, I am trying a simple test with the html 5 cache. Here is a simple web page : <!DOCTYPE html> <html manifest="test.manifest"> <head> </head> <body> <img src="http://www.somewebsite.com/picture.jpg"/> </body> </html> With the following manifest : CACHE MANIFEST #v0.1 NETWORK: http://www.somewebsite.com/ This work...
Hi, I'm trying to generate PDF files in a project hosted on GAE. For now, I use iText and it work fine to create text only PDF. I really need to add pictures on my pdf. And when I try with iText I catch some Execption talking about AWT and the google white list : Uncaught exception from servlet java.lang.NoClassDefFoundError: java.a...
Hi I am trying to figure out all the ways javascript can be written. I am making a white list of acceptable tags however the attributes are getting me. In my rich html editor I allow stuff like links. <a href="">Hi </a> Now I am using html agility pack to get rid of attributes I won't support and html tags for that matter. However ...
We're building a kiosk app that will have a fairly wide deployment. The app is in Flash running in a browser and requires the use of the webcam. As it stands, each kiosk will show the usual Flash "do you want to allow the use of your camera/microphone" dialog, which I suppose a local admin could click through, choose "remember," etc. Gi...
We have a form that has fields for first and last name. I was asked to allow underscores. I don't know of any sql injection that uses underscores, but I also don't know of anyone with an underscore in their name. Is there a good reason to allow or not allow underscores in names? EDIT: I'm using parameters and server side validation. ...
I have an ASP.NET application that's made up of several .aspx pages. I want one of those .aspx pages to be accessible by only a certain set of IPs. Is this possible? I know you can IP whitelist at the website level, but can you IP whitelist for a single URL in an application? ...
which is the preferred approach in sanitizing inputs coming from the user? thank you! ...