Is there a javascript library which can be used to filter out strings for XSS attacks?
Is there a Javascript equivalent of libraries like HTMLPurifier, which remove XSS code from strings? ...
xss
Python library for XSS filtering?
Is there a good, actively maintained python library available for filtering malicious input such as XSS? ...
Is String.stipTags() enough to mitigate XSS attacks?
I am creating this UTF-8 encoded HTML page where the user can provide input. I wanted to make this XSS proof. I came across this free Javascript framework called Prototype which provides some useful functions. One particular function stripTags essentially strips all tags from the input string. Would the following input processing prevent...
Is the Microsoft AntiXSS library useful and do I need it if I'm using server controls?
I've downloaded and looked at the Microsoft AntiXSS library, but I'm not 100% sure I need to use it for server controls (asp:textbox, etc). Everything is fine when I use it with a standard html control (input, etc). It looks like the output is encoded twice when I use the antixss lib on the server controls. I'm currently only using the...
How exactly is the same-domain policy enforced?
Lets say I have a domain js.mydomain.com and it points to some ip address, and some other domain requests.mydomain.com which points to a different ip address. Can a .js file downloaded from js.mydomain.com make ajax requests to requests.mydomain.com? How exactly do modern browsers enforce the same-domain policy? Thanks! ...
Executing javascript from within an iframe
I have: A web server (server 1) An application server running some beast of a legacy web app (server 2) An iframe on server 1 pulling in the application from server 2 My problem is: The legacy app uses JS validation on its forms. When a user attempts to submit an incomplete form, an alert pops up to notify the user that they are a d...
Anyone know of a free XSS penetration testing tool?
I am looking for... A spider/automated Will find all input fields and queryStrings, then insert potential XSS discoveries Reports any XSS vulnerabilities found ...
Where is the best place to sanitize user input that will be output on a webpage?
In the MVC way of doing things, where is the best place to run, for example htmlspecialchars() on any input? Should it happen in the view (it sort of makes sense to do it here, as I should be dealing with the raw input throughout the controller and model?) I'm not quite sure... What are benefits of doing it in the view or controller? Th...
Is there a good library in CPAN for filtering out cross-site scripting (XSS)?
Is there a good library in CPAN for filtering out an textfield for all the bad things, like xss? ...
Should I use the Anti-XSS Security Runtime Engine in ASP.NET MVC?
I have been reading up on Anti-XSS Security Runtime Engine and it looks like a nice solution for web forms because it inspects controls via reflection and automatically encodes data where appropriate. However as I don't really use server side controls in ASP.NET MVC, it does not seem to be a viable solution for ASP.NET MVC. Is this corre...
How do I attach a stream filter to echo?
Is there a way to attach a stream filter to echo so that any data that is echoed goes through the stream filter? My idea is to write an output escaping filter to protect against XSS. I found this bug report http://bugs.php.net/bug.php?id=30583 but it is from 2004 and I didn't know if this is now possible or not. class strtoupper_filter...
When trying to integrate one website with another what is the way to go? Iframe or pulling content?
hi, My company has multiple vendors that all have their own websites. I am creating a website that acts as a dashboard where customers can access all of the vendor's sites. I wanted to know what is the best option for doing this? Here's what I have so far: Iframe Can bring in the entire website Seems secure enough (not sure if I'm ...
Reading a File with Ruby
I have a text file that contains a list of regexp's which I regularly use to clean html files according: list.txt <p[^>]*>|<p> <\/?(font|span)[^>]*>| <\/u>\s*<u>| <\/u>\s*<i>\s*<u>|<i> if each line consisted of the form "#{a}|#{b}", what would be the simplest way to both read and convert this file into the array: [ [ /<p[^>]*>/, '...
Preventing XSS exploits using the type system as Joel suggested?
In Podcast 58 (about 20 minutes in), Jeff complains about the problems of HTML.Encode() and Joel talks about using the type system to have ordinary strings and HTMLStrings: A brief political rant about the evil of view engines that fail to HTML encode by default. The problem with this design choice is that it is not “safe by...
Firefox 3: Enable AJAX to localhost from outside domain
Hello, I am running a HTTP server on my development machine. I have a website, on some web server on the Internet. How can I get Firefox to allow communication from this website to localhost temporarily while I develop? Thanks, Isaac Waller ...
Overwriting the Array constructor does not affect [], right?
I just read this: http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx I was under the impression that overwriting Object or Array only had an effect if you chose to use the constructor functions when creating arrays/objects, but, according to that article, it also has an effect on literal creation ({} and [...
What version of MS Anti-XSS are you using?
I see there is version 1.5 and 3.0 beta, but I can't seem to find a version 2. Is this just wacky MS versioning? Are you using 3.0? Would you recommend it, or should I stick with 1.5? ...
XSS Attacks Prevention
I've found a "database" of many XSS attacks and while this list provides quite a big list of attacks are there are any other attacks that didn't fall in the XML, what to look out for and most unexpected? ...
Cross site scripting?
Hi I am trying to grab a div from another website using JS. I have an iframe that loads a page from an external site, I want to grab a div that contains a list so I can style it myself and put it on my site. Any ideas, would be greatly appreciated. Thanks. ...
PHP - Get page from external server.
I want to pass a function a string, which takes that string tacks it onto url. Then goes to that url and then returns the page to my server so I can manipulate it with JS. Any Ideas would be much appreciated. cheers. ...