Hello Friends, Lets assume I have my browser load an Iframe with <iframe src="test.html"> Can I, using ajax, load the content of test.html into a div in the main html page? This idea is my solution for that fact that I'm actually trying to overcome the limitation with making ajax submits to remote hosts. The plan is to generate the dy...
I want to know if entiting the two marks < and > is enough to prevent XSS injections? And if not, why? And what's the best solution? ...
I've been using struts2 + the rest plugin successfully to create a simple rest api web service. I'd like to make that service accessible to Flash and Silverlight clients, which means I need to add a crossdomain.xml access file at the root of my webapp. Normally I would just copy a crossdomain.xml file into the root of my webapp and ser...
I would like to fetch a source of file and wrap it within JSONP. For example, I have pets.txt. I want to retrieve source of that file from another domain using nothing but client-side JavaScript. Can I do it? Actually, I can't. I can do it only for JSONP. So, I can convert pets.txt to JSONP. I'm looking for online service which can co...
What should I do to prevent XSS in Java? I'm using Spring MVC. Right now I am just putting all places where I output user text into <c:out /> tags, but this seems error prone as I might miss a place. Is there an easy systematic way to prevent this? Maybe like a filter or something? EDIT: I'm collecting input by specifying @RequestPar...
How do I make sure I don't escape something twice? I've heard that its good practice to escape values as you receive them from a form, and also escape when you output. That way you have two chances to catch something. ...
Is there an easier way than foreach($_POST as $x=>$y){ $arr[$x] = $this->input->get_post($y, TRUE); } to just have the entire $_POST array cleaned with CI's XSS filter. Looking at the input library it seems though get_post() only accepts an individual variable rather than being able to clean the entire array and then return the arra...
To prevent XSS attacks, output escaping has been enabled; The above is from symfony,but I don't understand. ...
Domain abc.com has a page with 2 iframes. Both of them are loaded from domain xyz.com. Will XSS security block JavaScript access/communication/interaction between those two iframes? ...
Hi, I'm trying to get at a text file from an external website, for use with scripts running from my own domain. Example: // run from www.mysite.com: <html> <head> <script> function blah() { var data = document.getElementById("thedata"); alert(data.innerHtml); } </script> </body> <body> <emb...
I have wymeditor on sub1.domain.com, which is accesssed by a page on sub2.domains.com. This live gives an error var styles = this._doc.styleSheets[0]; Permission denied for <http://removed.example.com> to get property HTMLDocument.styleSheets from <http://removed2.example.com>. I am assumoing this is a cross site scripting r...
I have a form to singup yourself in a mailing list. I had set up the script to send me a mail for every singup and confirmation. The last days I saw a bunch of empty submisions (rejected). Turns out filter_input is that good :-) But I want to see the input of the malicious users, so I'm encoding the input and sending it to me by mail ...
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the ...
This is a very specific question for a Google Chrome extension. http://www.meebo.com/mobile/ This page is where you're kicked to when you go to Meebo.com on an iPhone or Droid phone. But if you notice, the Status box where you can set yourself away or what you want your status to be has white text on a white background. In order to ge...
If this can only be done in some browsers, I'd still like to know how... Basically, I want to have a drag-and-drop feature where users can drag files to a drop zone and then hit "upload" and have the files uploaded to the server. I was pondering the possibility of having the option to drag an entire folder to the drop zone and uploadin...
Hello. I am building a Rails (2.3.5) site with facebook connect functions via the facebooker plugin. When logging in via the facebook login button (<%= fb_login_button%>). After the popup button requests my username and password, I get a blank popup screen, and this error in the console. Processing ApplicationController#index (for 127.0...
I apologize if this has been asked before. I searched but did not find anything. It is a well-known limitation of AJAX requests (such as jQuery $.get) that they have to be within the same domain for security reasons. And it is a well-known workaround for this problem to use iframes to pull down some arbitrary HTML from another website...
Hi; How to safe gaurd a form against script injection attacks. This is one of the most used form of attacks in which attacker attempts to inject a JS script through form field. The validation for this case must check for special characters in the form fields. Look for suggestions, recommedations at internet/jquery etc for permissible ch...
I need to be allow content from our site to be embeded in other users web sites. The conent will be chargeable so I need to keep it secure but one of the requirements is that the subscribing web site only needs to drop some javascript into their page. It looks like the only way to secure our content is to check the url of the page hosti...
In my ASP.NET application, I'm getting the the following error message during a POST with certain input: A potentially dangerous Request.Form value was detected from the client I know that this occurs because a feature of .NET called Request Validation is preventing potentially dangerous characters that could be used in an XSS atta...