I want my application to sanitize html on input rather than on display, so that the fields saved into the database are sanitized. I've been doing this with strip_tags, and it was working great. However, this has the downside that it means the user can't input anything that's bracketed with < and >. How can I tell Rails in the model to ...
The offending page is http://beta.westlake.school.nz/school-details if viewed using IE8 ...
I have an $.ajax() request that queries currency exchange rate information from another web server, which is the reason (I believe) for which I am getting an "Access Is Denied" error on the $.ajax() call. Is there a way to permit this type of activity? ...
Hi there. I am writing an application where users are required to show their photo, however as my server resources are very limited I can not let them upload it to the server. So I have three major questions: 1. How to properly validate photo URL? At least I can validate with regexp, however I need to check for file ending: `validat...
I just discovered Erubis, a replacement for the default view renderer for Ruby on Rails. However, from what I can tell from reading about it, it's superior across the board. It is much faster. It has many more options. It can prevent cross site scripting without having to use h. Does this have any disadvantages versus the standard erb ...
I want a flash message that looks something like: "That confirmation link is invalid or expired. Click here to have a new one generated." Where "click here" is of course a link to another action in the app where a new confirmation link can be generated. Two drawbacks: One, since link_to isn't defined in the controller where the flash m...
Let's say we have this form, and the possible part for a user to inject malicious code is this below ... <input type=text name=username value= <?php echo htmlspecialchars($_POST['username']); ?>> ... We can't simply put a tag, or a javascript:alert(); call, because value will be interpreted as a string, and htmlspecialchars fi...
I am using Clojure/Ring/Compojure-0.4/Enlive stack to build a web application. Are there functions in this stack that would either strip HTML or HTML-encode (i.e. <a> to <a>) user-supplied strings in order to prevent XSS attacks? ...
Hi! I've been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script> on it, nothing happens, the server gets that string and that's all. What do I have to do for make it vulnerable?? (then I'll learn what I shouldn't do hehe) Cheers. ...
Is it possible to load in an image from another domain using JavaScript, and then pass the image to a Silverlight control on my page? ...
Title says it all. ...
Hi, I am trying to move a development environment from production to my local machine (Ubuntu), and when I get the code up and running on my box, the site works in rails but I get this JS error: Permission denied for http://ad.doubleclick.net to call method Location.toString on http://localhost:3000. Line 0 Do you have any idea how ...
I have a piece of javascript executing on a jetty server which is sending a XMLHTTPRequest to a scoket on another server(wamp server). The request gets sent to the socket, however the XHR response seems to be getting blocked. My only thoughts on this is it may be an issue with XSS(cross site scripting). Is there a way in which i could en...
I have a piece of javascript executing on a jetty server which is sending a XMLHTTPRequest to a scoket on another server(wamp server). The request gets sent to the socket, however the XHR response seems to be getting blocked. I have heard that I can use JSONP to overcome this problem. However as I am new to both javascript and I have ne...
Since there are so many valid characters for email addresses, are there any valid email addresses that can in themselves be XSS attacks or SQL injections? I couldn't find any information on this on the web. The local-part of the e-mail address may use any of these ASCII characters: Uppercase and lowercase English letters (a...
function sanitizeString($var) { $var = stripslashes($var); $var = htmlentities($var); $var = strip_tags($var); return $var; } function sanitizeMySQL($var) { $var = mysql_real_escape_string($var); $var = sanitizeString($var); return $var; } I got these two functions from a book and the author says that by us...
Can this code help to sanitize malicious code in user submit form? function rex($string) { $patterns = array(); $patterns[0] = '/=/i'; $patterns[1] = '/javascript:/i'; $replacements = array(); $replacements[0] = ''; $replacements[1] = ''; return preg_replace($patterns, $replacements, $string); I have included htmlentities() to prevent...
Hi,So, members of my website can post topics, replies, comments, edit them and so on. I always use htmlspecialchars and addslashes for html inputs to protect my site against XSS and SQL injection attacks. Is it enough or is there something more I miss? Thanks. ...
I have many params making up an insert form for example: x.Parameters.AddWithValue("@city", City.Text) I had a failed xss attack on the site this morning, so I am trying to beef up security measures anyway.... Should I be adding my input params like this? x.Parameters.AddWithValue("@city", HttpUtility.HtmlEncode(City.Text)) Is the...
Hey all Are there any pre-made scripts that I can use for PHP / MySQL to prevent server-side scripting and JS injections? I know about the typical functions such as htmlentities, special characters, string replace etc. but is there a simple bit of code or a function that is a failsafe for everything? Any ideas would be great. Many tha...