I'm trying to run HTMLPurifier on user input from a WYSIWYG (CK Editor) and the images are breaking. Unfiltered Input: <img alt="laugh" src="/lib/ckeditor/plugins/smiley/images/teeth_smile.gif" title="laugh"> After running through purifier with default settings: <img alt=""laugh"" src="%5C" title=""laugh""> I h...
In my codeigniter config I have $config['global_xss_filtering'] = TRUE;. In my admin section I have a ckeditor which generates the frontend content. Everything that is typed and placed inside the editor works fine, images are displayed nice, html is working. All except flash. Whenever I switch to html mode and paste a youtube code piece...
I'm having some problems with Html.Encode and users wanting to use special characters. Firstly the characters are replaced by the html codes and so are not displayed properly. And then, if the text is later edited and re-submitted, an exception is thrown when these html codes are re-submitted. Given that this is an intranet site and the...
I'm opening a web page from Site B, using showModalDialogue (javascript) from Site A. I want to return a value using window.returnValue from Site B page to Site A page. But I'm not able to return value between these two applications (both in the same IIS server). How do I can pass value in this scenario? ...
We have an internal web application that acts as a repository to which users can upload files. These files can be any format, including HTML pages. We have tested than in IE8, if you download an HTML file that contains some script that tries to access your cookies and, after downloading, you choose the "Open" option, the script execute...
I want to use lxml cleaner to get rid of all html, but then a regex to autolink something: [ABC] -> <a href="bah bah bah">ABC</a> what is the right way to handle this without xss and such? ...
My company has partners that embed a few of our web pages into their site by way of a dynamically generated iframe. The source URL for the iframe comes from the query string on the partner's site so I want to make sure there is no risk of a cross site scripting attack since we are using untrusted input as the iframe's source. The sou...
We've got an interstitial page that warns people when they're leaving our site. The trouble is it takes querystring parameters and blindly generates a page, thus it's vulnerable to XSS attacks. I've been tasked with fixing it and I want to do it right. ...
I recently noticed that I had a big hole in my application because I had done something like: <input type="text" value="<%= value%>" /> I know that I should have used Html.Encode, but is there any way to do that for all values, without having to do it explicitly? ...
I have an iframe I'm using to pull in some content hosted by a 3rd party vendor to our website. We are trying to determine the height of that content to adjust the iframe height but I'm getting cross site scripting errors. I wasn't aware that sub-domains count as a cross-site. Is there some way around this without having to keep them on ...
<body> <!-- some html code --> <script src='some.js'></script> <!-- some html code --> </body> The script some.js loads a form. when i press update in that form i do not submit the form instead i form a query string and want to send it as some.js?key=value Now i need to change the src of the script tag. If we change the src will i...
Is there a way to remove/escape html tags using lxml.html and not beautifulsoup which has some xss issues? I tried using cleaner, but i want to remove all html. ...
I already know how XSS works, but finding out all the many different ways to inject malicious input is not an option. I saw a couple libraries out there, but most of them are very incomplete, ineficient, or GPL licensed (when will you guys learn that GPL is not good to share little libraries! Use MIT) ...
In my webapp I'm using HTTP Location: headers for redirect (e.g. POST/redirect/GET). But the target locations have to be dynamic (e.g. login.php?dest=pagexy.php). We all know that any user-modifiable input has to be properly escaped to prevent XSS, so header('Location: '.$_REQUEST['dest']); looks wrong. Simple urlencode-ing can only ...
I'd like to store then later display user-entered content securely with minimal effort (my goal is a web app not writing a bunch of security-related code). EDIT: Google App Engine for Java ...
For example if I am colecting a [URL value] in a form, saving that [URL value] in a database, and then using it in a page like this: <a href="[URL value]" > The Link </a> How do I protect against this [URL value]: http://www.somelink.com"> Evil text or can be empty </a> ALL THE EVIL HTML I WANT <a href=" How can I protect agai...
I understand that XSS is when you can get a site to run arbitrary JavaScript by appending it to a URL or embedding it in the page somehow. I understand this is bad because it can allow people to steal cookies and such. What I don't understand is how that is possible. ALl my reading about it just shows people using alert() to display th...
I have heard of people being able to access other sites cookies using XSS. Is this is a legitimate option and how do you achieve this? ...