I need to create a portable script to give to others to implement on their websites that will dynamically show content from my database (MySQL). I know AJAX has a cross-site problem, but it seems that Google's ad's somehow manage the effect in a cross-browser / cross-site fashion. Knowing that I have to give people a simple cut/paste s...
Im currently trying to secure my classic ASP application from XSS. I came across the AntiXSS from MS on the net and i was wondering if this would work with a classic application? If not do you have any ideas how i could go about sanatizing the strings? Any help at all would be brilliant. Thanks ...
I've always been interested in writing web software like forums or blogs, things which take a limited markup to rewrite into HTML. But lately, I've noticed more and more that for PHP, try googling "PHP BBCode parser -PEAR" and test a few out, you either get an inefficient mess, or you get poor code with XSS holes here and there. Taking...
I'd like to be able to allow community members to supply their own javascript code for others to use, because the users' imaginations are collectively far greater than anything I could think of. But this raises the inherent question of security, particularly when the purpose is to allow external code to run. So, can I just ban eval() f...
Kohana and Codeigniter both have encode_php_tags(). I understand XSS cleaning (for Javascript), but when and why would you use encode_php_tags()? What is the security threat? ...
Can anyone who's following the specification more closely and has experience with how these things usually work estimate when Cross-Site XMLHttpRequest will become a Recommendation and start getting supported by the browsers? ...
Sometimes, server side will generate strings to be embedded in inline JavaScript code. For example, if "UserName" should be generated by ASP.NET. Then it looks like. <script> var username = "<%UserName%>"; </script> This is not safe, because a user can have his/her name to be </script><script>alert('bug')</script></script> It is...
I'm looking at encoding strings to prevent XSS attacks. Right now we want to use a whitelist approach, where any characters outside of that whitelist will get encoded. Right now, we're taking things like '(' and outputting '(' instead. As far as we can tell, this will prevent most XSS. The problem is that we've got a lot of internat...
If there anyway allows AJAX between two own domains without proxy hacking, JSONP, Flash or browser security changes? Maybe SSL or something? ...
Even famous sites like Twitter are suffering from XSS vulnerability, what should we do to prevent this kind of attack? ...
Hello, We need to add anti-XSS support in our Struts application. Most specifically the architect requires that all user input must be "sanitized" before storing in DB. As I don't want to reinvent the square wheel, which Java library can I use for this ? And where to put it ? Ideally it should be configurable (which input fields to che...
I need a way in Perl to strip naughty things, such as XSS, image interjection, and the works. I found HTML::StripScripts but it hasn't updated in close to two years, and I'm not up to date with all the new exploits. Is it safe? What other markups languages (in Perl) would you use? ...
The current trend in web applications seems to be towards using GET requests for everything. Specifically, using RESTful URLs that describe a service, a command, and its parameters. A few months ago, Jeff Atwood posted about the dangers of XSS. He demonstrated how even allowing users to post on your site something as seemingly innocuous ...
I understand that cross site scripting (xss) is not good and is not supported in most browsers. However, I am building a page to be used only by about 3 or 4 people within my company. On this page I have a frame from another domain and I need the parent page to be able to access the values within that frame. So my question is, is ther...
I have a rich text editor that passes HTML to the server. That HTML is then displayed to other users. I want to make sure there is no JavaScript in that HTML. Is there any way to do this? Also, I'm using ASP.NET if that helps. ...
Is htmlspcialchars($user_data) in PHP or h(user_data) in Ruby on Rails good enough for defending all cases of XSS (Cross-site scripting) attacks? What about encoding used or any other possible considerations? ...
I've run into a few problems using a C# regex to implement a whitelist of allowed characters on web inputs. I am trying to avoid SQL injection and XSS attacks. I've read that whitelists of the allowable characters are the way to go. The inputs are people names and company names. Some of the problems are: Company names that have amper...
I've been using Microsoft's AntiXss Library and was wondering if there is a good reason why its JavaScriptEncode method wraps the result in single quotes? That behavior seems unconventional. ...
I am creating a webpage where the user can interact and perform basic filesystem operations(create file/dir, delete file/dir, navigate filesystem) on a remote computer. The webpage is basic HTML(UTF-8 encoding) and Javascript. I need to make this webpage XSS proof. Would escaping all non-alphanumeric chars in user input(to protect again...
I'm doing an XSS report for my university, and I'm doing some tests with calling external webpages using AJAX. The code I'm using for this example is very simple, and one of my target case-studies is to be able to call an outside web-page via AJAX with cross site disabled. Note: I only plan to use this on FireFox, and I am not concern...