I have a problem where some users come to my site with cookies that contain < or & characters (partly outside my control). These are flagged Dangerous by ASP.NET. What I would like to do is to be able to catch the exception, check for certain well-known cases that I want to allow and then throw the exception again. I don't want to end up...
I am trying to building a XSS widget and am having issues with Webkit browsers loading the external javascript files which I am appending into the dom. It works as below: Widget.js appends 3 javascript files into the dom (jquery, data, content) Jquery.js is standard jquery with a custom namespace Data.js is a javascript array Content.j...
I have a usual html form with text inputs inside of it, and everything works, but if I will insert some > < characters in a input than I get this error: A potentially dangerous Request.Form value was detected from the client anybody knows how to handle this stuff ...
How do I prevent XSS (cross-site scripting) using just HTML and PHP? I've seen numerous other posts on this topic but I have not found an article that clear and concisely states how to actually prevent XSS. ...
Question: Is preventing XSS (cross-site scripting) as simple using strip_tags on any saved input fields and running htmlspecialchars on any displayed output ... and preventing SQL Injection by using PHP PDO prepared statements? Here's an example: // INPUT: Input a persons favorite color and save to database // this should prevent SQL i...
In my View (using Zend_View so the the view is an object), I make calls to object properties and methods to populate the template like so: <?= $this->user->name ?> // Outputs John Doe <br/> <?= $this->user->getCompany()->name ?> // Outputs Acme <br/> <?= $this->method() ?> // Outputs foobar If I make it so that all property requests (...
When you can simply encode the data using HttpUtility.HtmlEncode, why should we use AntiXss.HtmlEncode? Why is white list approach better than black listing? Also, in the Anti XSS library, where do I specify the whitelist? ...
Hello, Is it safe to inject JQuery's script using JsonP? The installation of my web application is - adding a script to a customer's website (like google analytics). I was thinking of using JQuery on the customer's website, as part of my own injected script. I was wondering, if there is some kind of risk? The application needs to supp...
In the intent of preventing XSS attacks, I am updating a page in which we have a textbox that accepts HTML, stores it in a database and retrieves and renders it at a later time. My understanding is that I can sanitize the HTML using AntiXSS.GetSafeHtmlFragment() method. As long as I do this before storing the HTML in the database, am I ...
My understanding of XSS attacks focused on people entering malicious input via forms (persistant XSS attack). However I'm trying to understand non persistant. Is this as an example (obviously the alert could be substituted for something more sinister...) http://localhost/MyProject/action.do?Title=<script>alert('XSS');</script&...
Internet Explorer 8 has a new security feature, an XSS filter that tries to intercept cross-site scripting attempts. It's described this way: The XSS Filter, a feature new to Internet Explorer 8, detects JavaScript in URL and HTTP POST requests. If JavaScript is detected, the XSS Filter searches evidence of reflection, information...
I am attempting to find the optimal method of guarding against Cross Site Scripting in my ASP.NET MVC application. I planned to use Microsoft’s AntiXSS library and essentially guard on two levels: 1) Protect regular textboxes (i.e. those that should only contain plain text and 2) Protect rich text boxes which can generate HTML. The libra...
I know about iframes from different domains unable to access pretty much anything on the parent level, BUT, all I would need to know is the top-most domain. Here is the scenario: ABC.com loads an iframe from DEF.com that loads an iframe from XYZ.com. On the level of XYZ.com I need to know that ABC.com is the top most domain. Any thou...
I have an editor that lets users add HTML that is stored in the database and rendered on a web page. Since this is untrusted input, I plan to use Microsoft.Security.Application.AntiXsSS.GetSafeHtmlFragment to sanitize the HTML. Should I santiize before saving to the database or before rendering the untrusted input into the webpage? Is ...
In a ASP.NET MVC along with a test case project, How does someone create a test case to test against existing security exploits on a controller method? For example, how do you create a test case for a call that need anti-forgery token? Or XSS? ...
As far as I can see the offerings fall into two categories – scanning services such as McAfee, Comodo, etc. and tools such as Burp Proxy, HP’s WebInspect,CodeScan, etc. In an ideal world, I’d use something that actively scanned a certain URL (the target being a LAMP stack) on a daily basis (or as required if it’s a standalone tool), bu...
I'm looking for a simple PHP library that helps filter XSS vulnerabilities in PHP Markdown output. I.E. PHP Markdown will parse things such as: [XSS Vulnerability](javascript:alert('xss')) I've been doing some reading around and the best I've found on the subject here was this question. Although HTML Purifier looks like the best (nea...
I've been using the free Firefox extension XSS Me from Security Compass to test for XSS problems. However, using what I understand to be safe filtering, XSS me still reports warnings. Are these accurate warnings or spurious? Using the code below as a testcase: <form method="post" action=""> <input type="text" name="param" value="<?php ...
Are there any problems with what I am doing here? This is my first time to deal with something like this and I just want to make sure I understand all the risks etc. to different methods. I am using WMD to get user input and I am displaying it with a Literal control. Since it is uneditable once entered I will be storing the HTML and no...
I am trying to resolve a cross site scripting exception in my code. I'm getting an XSS error at line where I was using JSP expression inside a JS code ex: inside a JS function function ex(){ ..... var loc = '<%= location.getLocDetails()>'; ..... } Please let me know, if you have any solution/workaround? Note: location.ge...