In a server-side Classic ASP file, let's say you receive a Request string containing malicious javascript like, "alert('HACKED');" DIM foo : foo = Request.Form("foo"); 'Contains malicious javascript and then later we're writing javascript to screen containing that value. %> <script type="text/javascript"> // some code <%=foo %>...
I've heard that some XSS attacks can be done by posting an image to a site that has javascript as the src attribute. Are there certain browsers that will protect me from this type of attack? ...
I have a WYsIWYG editor in my coldfusion app and need to prevent XSS Attacks. Is there any Coldfusion ways to strip out all script type attacks? ...
So I made a landing page for all these forms that the marketing department at my work makes. One of the fields they pass is a URL that I redirect to after I'm done processing - a thank you page. Recently, I discovered a URL that looked like this: http://www.oursite.com/folder/thank-you.php?thankyou=free-guide&amp;adgroup=<?php e...
I'm writing some AJAX; the server returns JSON (that I also wrote, and as such is sanitary JSON). Under these conditions it seems I can use eval just fine, however I worry that there may be some sort of man in the middle attack on my clients, substituting their JSON for mine. I suppose if there is a man in the middle, they can just as ea...
My script works with all other links I tried, and i get the same response with cURL also (and this is a lot smaller, so I like this code): <?php $url = $_GET['url']; $header = get_headers($url,1); print_r($header); function get_url($u,$h){ if(preg_match('/200/',$h[0])){ echo file_get_contents($u); ...
I just started in Adobe air html/js . In the current application I want to do something like this . I want to open the urls/web pages in the application and application should act like a web-browser to them . But with that I want to modify the opened pages a little, like add some css/js to them. Something like when you open Web pages ...
I have an https page (https://example.com/main.php) that has an iframe with a non-https source (http://example.com/inner.php). Both files are on the same server - just one is accessed with https and the other is not. I need the non-https page to be able to execute javascript on the https main.php page using code such as parent.myfunction...
Hi Guys TL;DR: Can I switch off XSS protection in Internet Explorer in a controlled environment so I can manipulate the DOM inside IFRAMES? I am creating a kiosk for our public computers in our reception area which allows our users to browse our website as well as a few other local government related sites (ones that help with plan...
I have a script that is rendered to an html page as a part of a tracking solution (etracker). It is something like this: <script> var et_cart= 'nice shoes,10.0,100045;nice jacket,20.00,29887'; </script> This will be transmitted to the server of the tracking solution by some javascript that I don't control. It will end up as 2 items. ...
Hey, So, preventing website from XSS attack is very simple, you just need to use htmlspecialchars function and you are good. But if developer forgot to use it, what can attacker/hacker do? He can get your session_id, right? And here is a question. What can he do with that? Thank you very much. ...
We're trying to harden a WCF service that we use with an XBAP application and have some questions that we haven't been able to answer yet. To give some background: The communication between the application and service is over HTTPS. The user is authenticated using username/password. The data being sent/received is compressed (gzip) bi...
Anyone familar with antisamy? I'm using the antisamy-myspace-1.4.1.xml And would like to allow SPAN tags to have a NAME attribute. Any ideas on how to add this to the XML? ...
Everything works perfect in Firefox and Chrome but except in IE8 (8.0.6001.18702) This is the test code (Jquery 1.4.2) (same problem with $.post): $(function() { $.get("http://domain2.tld/some.php", {}, function(response) { alert(response); }); }); This code is executed in domain1.tld and it is loaded from domain2.tld, t...
I am calling on the collective mind of the stackoverflow community to help this novice programmer fix a major issue. I have a multipart form written in Classic ASP that is based on the code below. I use stored procedures and parameters to write to the sql DB, I use Server.HTMLEncode before it is submitted also. I have javascript based v...
I use asp.net + MVC1.0 and in a webpage I have several forms, within each forms I have called the following function AntiForgeryToken() to generate a hidden value, and in Controller function I have a validate attribute. When I use JMeter and capture the token using regular expression then post the token with my form to server, I found ...
How to fix crossscripting issue calling FB.init using Facebook Connect (old JS SDK)? More specific: if xd_receiver.htm is not specified: after calling calling FB.Connect.requireSession(facebook_login_callback) the Facebook login pops up correctly but browser console throws "Unsafe JavaScript attempt to access frame with URL...Domains,...
I'm looking for class/util etc. to sanitize HTML code i.e. remove dangerous tags, attributes and values to avoid XSS and similar attacks. I get html code from rich text editor (e.g. TinyMCE) but it can be send malicious way around, ommiting TinyMCE validation ("Data submitted form off-site"). Is there anything as simple to use as Input...
Hello, I'm using AntiSamy with the available antisamy-1.4.1.xml policy. The policy is working nicely to block most XSS attacked but the following below is not being blocked. Any suggestions on how to block the following below to prevent XSS attacks? 1234%27%2Balert%2873918%29%2B%27 Thanks ...
How do you avoid cross-site script attacks? Cross-site script attacks (or cross-site scripting) is if you for example have a guestbook on your homepage and a client posts some javascript code which fx redirects you to another website or sends your cookies in an email to a malicious user or it could be a lot of other stuff which can prov...