For the site i am building i would like the users to be able to provide embed codes for video and audio sites. i know this poses a security risk, so i wanted to find out, within Django, how best to filter the html provided so that only certain tags and certain sites are allowed. Does anyone have any references to how i can accomplish th...
I have a small Sinatra app which generates html fragments for me from an ERB template. How do I html_escape the output? The <%=h somestring %> helper does not exist in Sinatra. ...
We're having an issue on one of our fairly large websites with spam bots. It appears the bots are creating user accounts and then posting journal entries which lead to various spam links. It appears they are bypassing our captcha somehow -- either it's been cracked or they're using another method to create accounts. We're looking ...
I want to include Microsoft AntiXss V1.5 library on my live site running in a medium trust setting.However, I got an error something like: Required permissions cannot be acquired. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the er...
I'm developer moving from C# to Java. Heard about new ASP net feature. <%: %>. It renders object with html encoding. Only these impolementing IHtmlString interface are not encoded (to prevent double encoding). See more in http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net...
Possible Duplicate: What are the best practices for avoid xss attacks in a PHP site I need to prevent XSS attacks in PHP code, is there nay good and easy library for this? ...
I would like to offer a webservice via JSONP and was wondering, if I need to sanitize the value from the callback parameter. My current server side script looks like this currently (More or less. Code is in PHP, but could be anything really.): header("Content-type: application/javascript"); echo $_GET['callback'] . '(' . json_encode($d...
Is it, in any way, possible to disable the browsers execution of script inside a block/section/element ? My scenario is, that I'm letting my (future) users create "rich content" (using CK-editor). Content that wil later be shown to other users - with all the dangers that imply: xss, redirection, identity theft, spam and what not... I'v...
Hello, is there a way that I could automatically format the input box via Javascript that prevents XSS before the user tries to click on the submit button? like for instance, after a user types a script attack on a textbox, the javascript automatically formats the value within the textbox to a safe format. btw, i'm not just relying on...
Hello, I use Owasp Anti samy with Ebay policy file to prevent XSS attacks on my website. I also use Hibernate search to index my objects. When I use this code: String html = "special word: été"; // use the Ebay configuration file Policy policy = Policy.getInstance(xssPolicyFile.getInputStream()); AntiSamy as = new AntiSamy()...
Hi everyone, I'm trying to choose between a couple of different HTML parsers for a project I am working on, part of which accepts HTML input from the client. I've built a simple automated test for each one, to see if they fit my needs. I have a large number of real-life HTML fragments to test, but they aren't enough for testing for saf...
I'm looking for class/util etc. to sanitize HTML code i.e. remove dangerous tags, attributes and values to avoid XSS and similar attacks. I get html code from rich text editor (e.g. TinyMCE) but it can be send malicious way around, ommiting TinyMCE validation ("Data submitted form off-site"). Is there anything as simple to use as Input...
How does the XSS (Cross Site Scripting) support provided by ASP.net differs from AntiXss. AntiXss is a microsoft library for securing your site against XSS. Both API looks almost similar and it looks that they can easily be switched from one to another by doing find replace in your code files. Which one provides more security against XS...
Hey! If my site ever goes live (don't think it will, its just a learning exercise at the moment). I've been using mysql_real_escape_string(); on data from POST, SERVER and GET. Also, I've been using intval(); on strings that must only be numbers. I think this covers me from sql injection? Correct? Can i do more? But, I'm not sure ho...
Im just wondering, would the following be completely safe or would someone be able to get around it using hexadecimal characters, etc: $name = mysql_real_escape_string(htmlentities(stripslashes($_REQUEST['name']))); $query ="SELECT * FROM Games WHERE name LIKE '%{$name}%'"; Thanks. I know I can use PEAR and other libraries to make pr...
Hello I'm having XSS Vulnerability using jQuery's .append() function what I'm doing is appending raw chat messages coming from users and I don't want to strip html tags serversided or clientsided I just want to display them. Yet jquery's .append() method renders the html markup. anyway to do like appendText()? I tried .text() but it do...
I am making a forum posting web application using Java and I want to know : What are the xml tags that should be parsed and removed when posting like the <script> tag ? Should i remove the tag and keep the content, or remove the tags with the content ? what are the regular expression to remove them ? ...
Hi, I just added TinyMCE to a small CMS I built in Rails. I've been using Redcloth before to style user generated articles. Since I started using TinyMCE, I would like to also allow users to embed video (from youtube for ex) into their blog posts. I'm using the follow helper in the views: sanitize(text, :tags => %w(a object p...
Seems like Microsoft updated the Anti XSS library today: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651 In addition there is a new release of the Web Protection Library http://wpl.codeplex.com/ Are these two downloads the same thing? What XSS library should I be using? Are there ot...
I want to block xss attacks but i still want to allow html tags like <b><u><i><img><a> and YouTube video players. I don't want to be open for XSS attacks tho. I am using php. ...