I'm getting pretty frustrated trying to make McAffee whitelist a supposed exploit on a site i work on. The issue is that their automated system has detected a supposed XSS exploit but the exploit only exists when JavaScript is disabled. Given the fact that you need JavaScript to be disabled for the exploit to exist then surely this means...
We have published a json api to share data between a few domains. We provide a callback that allows any GETs from remote sites to be returned as padded json. GET http://mysite.com/jsonapi/object?callback=? Returns: ?({‘someKey’:’someData’}) Now all of this works fine whenever we are GET’ting data from remote sites, but the moment t...
Here's an interesting JS q... suppose you have: host1.html on host1.com which references an external javascript (host2.js) on host2.com. In the host2.js, I'd like to get the location.hostname of the host serving the host2.js, but because host2.js is called inside of host1.html, it returns the location.hostname of host1. Is there a way...
Let's say I want to use this API: http://hiveminder.com/help/reference/API.html The instructions walk through its use via. the curl command line tool, which I'm unfamiliar with. I want to access this API through a simple script on my own page. What are the steps I need to do this? Keep in mind it's been years since I've done any of ...
Can I use ActionView::Helpers::SanitizeHelper#sanitize on user-entered text that I plan on showing to other users? E.g., will it properly handle all cases described on this site? Also, the documentation mentions: Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to...
When doing an AJAX call, why do browser security rules state that you cannot make a request to a different domain? ...
My site utilizes a WYSIWYG editor for users to update their accounts,enter comments, and send private messages. The editor (CKEditor) is great for only allowing users to enter valid input, but I worry about injection through TamperData or other means. How can I control this on the server side? I need to whitelist specific tags: <b><...
I'm a developer (and therefore a tester) of a website. Our site accepts any JavaScript or HTML from an user but I haven't been successful in explaining the danger of it, as obvious as it is. So I would like to prove it by logging in as my boss to prove to him that there is definitely a real danger here. I think this will put down any of ...
Imagine the following scenario: You work at Big Co. and your coworkers down the hall are on the web development team for Big Co's public blog system, which a lot of Big Co employees and some public people use. The blog system allows any HTML and JavaScript, and you've been told that it was a choice (not by accident) but you aren't sure ...
Hi, yesterday i noticed that sometimes on my webpage shows up javascript errors. when i went to source code, i found that one of .js files was totaly replaced with a ton of porn links. i checked the ftp for this file, but there was just old javascript file without any changes. yet i go back to check source code via browser and indeed th...
The page A.com has 2 iframes B.com/page1 and B.com/page2. This is the code of A.com: <html><body> <iframe src="b.com/page1" name="iframe1" id="iframe1"> <iframe src="b.com/page2"> </body></html> I want to execute js function on B.com/page1 from B.com/page2. Both examples below works well when the parent is from the same domai...
How can I prevent XSS but allow any characters to be used? Like I can post HTML code on a forum like <html><body><h1>Test</h1></html>, but it would not be rendered in the browser as html? How can I do this so it does not convert the characters in PHP? ...
I have a question about XSS Can forms be used as a vector for XSS even if the data is not stored in the database and used at a later point? i.e. in php the code would be this: <form input="text" value="<?= @$_POST['my_field'] ?>" name='my_field'> Showing an alert box (demonstrate that JS can be run) on your own browser is trivial wi...
I am trying to read xml into a webpage from another server, and I assume that my problem is Same-Origin Policy, and therefore a cross domain problem. I have a bit of googling and it seems that jsonp is the way forward. Based on some examples I found here on stackoverflow and another sites, this is what I have, and it does not "hit" the ...
Greetings, I'm trying to prevent XSS and improper html from input fields using CKEditor (a javascript WYSIWYG editor). How should I filter this data on the server side? The two options I'm comparing are PHP Tidy and HTML Purifier. I'm interested in speed, security, and valid nesting. Edit: According to HTML Purifier, Tidy does not...
I just got hammered on a Security Audit by Deloitte on behalf of SFDC. Basically we use flex and communicate via AMF. We use FluorineFX for this (as opposed to LCDS and Blaze). We are being told that because the AMF response is not encoded and that someone can manipulate the AMF parameters and insert Javascript that this is a XSS vulnera...
I am trying the above mentioned, like this: $.ajax({ type: 'GET', dataType: 'xml', url: $('#proxy').attr('src', 'http://192.168.0.106:8111/getconfiguration?'), success: function (xml) {//do stuff with xml And in the body...
Hi All, I currently have a single asp.net page that displays a grid with a single column with rich text in it. This is a logical 3-tier app. The bll returns a collection to the ui to bind to the grid. Currently, when you edit the column it gives you a rich text editor and all the data get saved to a database. With the way it's design...
Is there a relatively easy solution to Rails 3 auto escaping to not break view-oriented plugins? I'm using table_builder which has an api along the lines of: <%= calendar_for(args) do |table| %> ... <% end %> Unfortunately, rails goes through and escapes all the html generated from that plugin. Is there an easy way to avoid this be...
I know that rails 3 automatically escapes user input, but does it also do this for user input that's submitted via ajax such as an auto-complete query? ...