I am developing a widget (HTML, JavaScript) for a platform which allows the (trusted) widget to make XSS calls. I can test the code by packaging the widget, and using the emulator, but that takes 2 or 3 minutes to reboot every time I make a simple JavaScript code-change. Is there a way to turn ON XSS support in Firefox, or any other br...
My application is being penetration tested. One of the XSS items being flagged is that Im using a hidden form field to store a record id in a browser/search screen then using id this to open the full record. (via a post) I'm struggling to see how this is an XSS attack. Am I missing something? ...
In my java app I'm preventing XSS attacks. I want to encode URL and hidden field paramaters in the HttpServletRequest objects I have a handle on. How would I go about doing this? ...
Hi all, I am experiencing a relentless XSS attack that I can't seem to prevent. I've got three total input forms on my site - one is for the uploading of images, one for adding comments to a page, and a third that sends an email via php. I am protecting all of them in one way or another, but somehow the vulnerability is still there. My...
One of my customers gets "Internet explorer has modified this page to help prevent cross-site scripting" error on her website on IE8. The page has several ajax calls to the same domain + calls to standard js files outside the domain such as google analytics. How can I detect which call from the browser is actually causing it? ...
I'm looking into some XSS prevention in my Java application. I currently have custom built routines that will escape any HTML stored in the database for safe display in my jsps. However I would rather use a built in/standard method to do this if possible. I am not currently encoding data that gets sent to the database but would like to...
By simply converting the following ("the big 5"): & -> & < -> < > -> > " -> " ' -> ' Will you prevent XSS attacks? I think you need to white list at a character level too, to prevent certain attacks, but the following answer states it overcomplicates matters. EDIT This page details it does not prevent more elabor...
I have a log function on my admin panel that checks user input for being correct and, if not correct, writes it to a log file. This log file is written to the admin when logged in. I was testing my site for vulnerabilities, and I managed to fully exploit my server using an XSS hole. I tried to filter logged input by checking the input t...
I want to allow users to create tiny templates that I then render in Django with a predefined context. I am assuming the Django rendering is safe (I asked a question about this before), but there is still the risk of cross-site-scripting, and I'd like to prevent this. One of the main requirements of these templates is that the user shoul...
Is there a method by which we can detect if a user using ie8 has the XSS filter enabled? As far as I can tell, nothing changes in the User Agent or in the http headers when ie8 has the XSS filter enabled vs when it does not. That leaves some client-side detection of the use of the filter. Would it be possible to write a test page that w...
I need a filter function for a project I'm working on. I am thinking about using HTML purifier. However I concerned about it performance. Does any of you guys used or using HTML purifier. Or do you suggest another library or class with similar functionality. The most important issues are: utf-8 support xss security ...
I have a page thusly: <html> <body> <iframe src="local.html"></iframe> <iframe src="http:www.google.com"></iframe> </body> </html> I've used the DOM to access the first iframe as a test (node.documentWindow) but when I try similar on the external iframe Firebug reports that access is denied. I suspect this is ...
I have an asp.net site....I would like to know how to handle this error gracefully when a user enters and submit an illegal character (xss attack). "A potentially dangerous Request.Form value was detected from the client (ctl00$TextBox1="").........etc" I can turn-off the requestvalidation attribute and write a code to filter the strin...
If I have fields that will only ever be displayed to the user that enters them, is there any reason to sanitize them against cross-site scripting? Edit: So the consensus is clear, that it should be sanitized. What I'm trying to understand is why? If the only user that can ever view the script they insert into the site is the user him...
We've been looking for ways to HTML encode our JSP pages to counter XSS. The OWASP site shows How_to_perform_HTML_entity_encoding_in_Java The article talks about entity encoding the "Big 5" i.e. 21 {"#39", new Integer(39)}, // ' - apostrophe 22 {"quot", new Integer(34)}, // " - double-quote 23 {"amp", ...
Hey folks, CodeIgniter is brilliant but I'm using it to develop a site where users need to be able to share their code for websites. Unfortunately, CodeIgniter has been doing the "right" thing by removing <script> tags from my user's inputs into the database, so when it's returned data looks like this: [removed] User's data [removed] ...
I'm developing a web application, and facing some security problems. In my app users can send messages and see other's (a bulletin board like app). I'm validating all the form fields that users can send to my app. There are some very easy fields, like "nick name", that can be 6-10 alpabetical characters, or message sending time, which ...
Does anyone know how disqus works? It manages comments on a blog, but the comments are all held on third-party site. Seems like a neat use of cross-site communication. ...
I am using ASP.NET and on ASP.NET page has validate attribute which checks for the XSS validations. However i would like to know that is it really sufficient ? I have visited some of the related post on stackoverflow and that helped me but i am looking to understand how to plan for XSS when developing web sites ? Do we have to check XS...
Hi, I'm trying to figure out the right way to display comments such that newlines and links are displayed. I know that usually, you should display user-inputs only when escaping html with h(). That of course won't display newlines or links, so I found the simple_format and auto_link methods. What I am now doing is: simple_format(santiz...