AntiXss and my desired results
After scrubbing my field with AntiXss.HtmlEncode is there a way to remove all the html elements because they still show up as literals in the display? ...
After scrubbing my field with AntiXss.HtmlEncode is there a way to remove all the html elements because they still show up as literals in the display? ...
I would like to write a Javascript library to wrap an API I plan on using in my application. Now because of XSS restrictions I cannot simply have my script call out to the server hosting the API. What are the options to get around this? My initial research has turned up: proxy: have the client library make calls back to my webapp's ...
I am working on an HTML form that posts the data to a URL. I am also using Jquery to get query string parameters and add them to the data I post to the URL. Is there any way to protect against XSS attacks? Any HTML encoding plugins or built-in functions? ...
In other words, what are the most-used techniques to sanitize input and/or output nowadays? What do people in industrial (or even just personal-use) websites use to combat the problem? ...
I've disabled validateRequest in my web.Config, but the app is still firing the error: A potentially dangerous Request.Form value was detected from the client I've got the following in my web.Config <httpRuntime requestValidationMode="2.0" /> <pages validateRequest="false"> I've also tried the following in my controlle...
Hi All, It seems to me just using the html agility pack would work to prevent xss (parse then get innertext). Would it be repetitive to use antixss after using hap? Thanks, rod. ...
JSON responses can be exploited by overriding Array constructors or if hostile values are not JavaScript string-escaped. Let's assume both of those vectors are addressed in the normal way. Google famously traps JSON response direct sourcing by prefixing all JSON with something like: throw 1; < don't be evil' > And then the rest of th...
In my web app, users can input text data. This data can be shown to other users, and the original author can also go back and edit their data. I'm looking for the correct way to safely escape this data. I'm only sql sanitizing on the way in, so everything is stored as it reads. Let's say I have "déjà vu" in the database. Or, to be more ...
Something I find really confusing, is why are ajax requests limited to the same domain? What is the reasoning behind this? I don't see any problem with requesting files from external locations, also servers making XMLHTTP requests seem to get and post to external locations fine. ...
Hi everybody, We're in the middle of developing a e-commerce application that will be used by our customers on a pay-monthly-plan. We have thought a bit about offering encryption of all personal data that is stored in the database, to make our application a notch safer to the final consumers. The encryption would be handled completely ...
i tried to make an cross domain ajax call with native javascript and it works with out any jsonp techniques, i am wondering how it is possible . i read that cross domain ajax calls cannot be made due to security risk <html> <head> <script type="text/javascript"> function loadXMLDoc() { url=document.getElementById('url_data').value;...
I'm aware that there is a Cross site forgery attack that can be performed on a request that returns an array by overloading the Array constructor. For example, suppose I have a site with a URL: foo.com/getJson that returns: ['Puff the Dragon', 'Credit Card #'] This would normally be Javascript eval'd by my own site after an XHR re...
I have written a WordPress plugin, and I am trying to find the best way of having the program check for updates on my server, and downloading them automatically at the user's request. This will basically be used to download extra features that I don't want to put into the WordPress repository due them not having the GNU license. I've ...
My goal is to take HTML entered by an end user, remove certain unsafe tags like <script>, and add it to the document. Does anybody know of a good Javascript library to sanitize html? I searched around and found a few online, including John Resig's HTML parser, Erik Arvidsson's simple html parser, and Google's Caja Sanitizer, but I haven...
I have developed a social networking site for gardeners website, and am interested in giving users the ability to add images to their "tweets". If I allow them to upload images to the actual site, it seems like this will quickly become expensive (this is a side project, not funded by anyone than myself and my own obsessions). Let's say...
A client I'm working for has mysteriously ended up with some malicious scripting going on on their site. I'm a little baffled however because the site is static and not dynamically generated - no PHP, Rails, etc. At the bottom of the page though, somebody opened a new tag and a script. When I opened the file on the webserver and strippe...
Hi everyone, I'm trying to choose between a couple of different HTML parsers for a project I am working on, part of which accepts HTML input from the client. I've built a simple automated test for each one, to see if they fit my needs. I have a large number of real-life HTML fragments to test, but they aren't enough for testing for saf...
Here is my function: function is_url($url) { return (preg_match('#^(https?):\/\/#i', $url) && (filter_var($url, FILTER_VALIDATE_URL) !== FALSE)); } And here is a nice url that it validates as true: http://blah.com"onclick="alert(document.cookie) Imagine if that goes into <a href="<?php echo $url; ?>"> Are there any better URL ...
Many websites discuss broken images being good warning signs of a possible XSS attack in the pages source code. My question is why so many attackers allow this to happen. It doesn't seem like it would be very much more trouble for an attacker to use an iframe or an unassuming picture to hide their persistent script behind. I could be ...
I want to help fill forms for my users with default values on other pages. To do that I would like to show another page (from different domain) in an iframe and insert there default values when needed into fields. But it is not possible because of cross site scripting protection. I have checked http://sourceforge.net/projects/poxy/ and ...