AntiXss and my desired results
After scrubbing my field with AntiXss.HtmlEncode is there a way to remove all the html elements because they still show up as literals in the display? ...
xss
Options for Javascript Client Library for a Server Side API
I would like to write a Javascript library to wrap an API I plan on using in my application. Now because of XSS restrictions I cannot simply have my script call out to the server hosting the API. What are the options to get around this? My initial research has turned up: proxy: have the client library make calls back to my webapp's ...
Protect JQuery code against XSS
I am working on an HTML form that posts the data to a URL. I am also using Jquery to get query string parameters and add them to the data I post to the URL. Is there any way to protect against XSS attacks? Any HTML encoding plugins or built-in functions? ...
What are the common defenses against XSS?
In other words, what are the most-used techniques to sanitize input and/or output nowadays? What do people in industrial (or even just personal-use) websites use to combat the problem? ...
Asp.Net MVC Input Validation still firing after being disabled
I've disabled validateRequest in my web.Config, but the app is still firing the error: A potentially dangerous Request.Form value was detected from the client I've got the following in my web.Config <httpRuntime requestValidationMode="2.0" /> <pages validateRequest="false"> I've also tried the following in my controlle...
html agility pack vs antixss
Hi All, It seems to me just using the html agility pack would work to prevent xss (parse then get innertext). Would it be repetitive to use antixss after using hap? Thanks, rod. ...
Is it possible to XSS exploit JSON responses with proper JavaScript string escaping
JSON responses can be exploited by overriding Array constructors or if hostile values are not JavaScript string-escaped. Let's assume both of those vectors are addressed in the normal way. Google famously traps JSON response direct sourcing by prefixing all JSON with something like: throw 1; < don't be evil' > And then the rest of th...
Escaping output safely for both html and input fields
In my web app, users can input text data. This data can be shown to other users, and the original author can also go back and edit their data. I'm looking for the correct way to safely escape this data. I'm only sql sanitizing on the way in, so everything is stored as it reads. Let's say I have "déjà vu" in the database. Or, to be more ...
Why are AJAX requests limited to same domain?
Something I find really confusing, is why are ajax requests limited to the same domain? What is the reasoning behind this? I don't see any problem with requesting files from external locations, also servers making XMLHTTP requests seem to get and post to external locations fine. ...
Storing encrypted personal information - common sense?
Hi everybody, We're in the middle of developing a e-commerce application that will be used by our customers on a pay-monthly-plan. We have thought a bit about offering encryption of all personal data that is stored in the database, to make our application a notch safer to the final consumers. The encryption would be handled completely ...
cross domain ajax call
i tried to make an cross domain ajax call with native javascript and it works with out any jsonp techniques, i am wondering how it is possible . i read that cross domain ajax calls cannot be made due to security risk <html> <head> <script type="text/javascript"> function loadXMLDoc() { url=document.getElementById('url_data').value;...
Is it possible to perform a cross site site request forgery attack on a URL that returns a JSON object?
I'm aware that there is a Cross site forgery attack that can be performed on a request that returns an array by overloading the Array constructor. For example, suppose I have a site with a URL: foo.com/getJson that returns: ['Puff the Dragon', 'Credit Card #'] This would normally be Javascript eval'd by my own site after an XHR re...
What is the best way to download an external file to a server via a program.
I have written a WordPress plugin, and I am trying to find the best way of having the program check for updates on my server, and downloading them automatically at the user's request. This will basically be used to download extra features that I don't want to put into the WordPress repository due them not having the GNU license. I've ...
Is there a good Javascript based HTML parsing library available?
My goal is to take HTML entered by an end user, remove certain unsafe tags like <script>, and add it to the document. Does anybody know of a good Javascript library to sanitize html? I searched around and found a few online, including John Resig's HTML parser, Erik Arvidsson's simple html parser, and Google's Caja Sanitizer, but I haven...
How do I allow safely and inexpensively allow images on my site?
I have developed a social networking site for gardeners website, and am interested in giving users the ability to add images to their "tweets". If I allow them to upload images to the actual site, it seems like this will quickly become expensive (this is a side project, not funded by anyone than myself and my own obsessions). Let's say...
Is it possible to be attacked with XSS on a static page (i.e. without PHP)?
A client I'm working for has mysteriously ended up with some malicious scripting going on on their site. I'm a little baffled however because the site is static and not dynamically generated - no PHP, Rails, etc. At the bottom of the page though, somebody opened a new tag and a script. When I opened the file on the webserver and strippe...
Unit testing an HTML parser/cleaner?
Hi everyone, I'm trying to choose between a couple of different HTML parsers for a project I am working on, part of which accepts HTML input from the client. I've built a simple automated test for each one, to see if they fit my needs. I have a large number of real-life HTML fragments to test, but they aren't enough for testing for saf...
PHP filter_var for a URL against XSS attacks
Here is my function: function is_url($url) { return (preg_match('#^(https?):\/\/#i', $url) && (filter_var($url, FILTER_VALIDATE_URL) !== FALSE)); } And here is a nice url that it validates as true: http://blah.com"onclick="alert(document.cookie) Imagine if that goes into <a href="<?php echo $url; ?>"> Are there any better URL ...
Broken images in XSS attacks
Many websites discuss broken images being good warning signs of a possible XSS attack in the pages source code. My question is why so many attackers allow this to happen. It doesn't seem like it would be very much more trouble for an attacker to use an iframe or an unassuming picture to hide their persistent script behind. I could be ...
Cross site scripting forms
I want to help fill forms for my users with default values on other pages. To do that I would like to show another page (from different domain) in an iframe and insert there default values when needed into fields. But it is not possible because of cross site scripting protection. I have checked http://sourceforge.net/projects/poxy/ and ...