xss

The way to check the javascript injections

Is it enough to avoid javascript injection validating input data in such way: xssValidate = function(value) { var container = $("<u></u>").text(value); if($(container).html() != value) return mc.ERROR_INVALID_FORMAT; } I've managed to validate all the text fields and textareas values with the code above before submit them to s...

Disabling TRACE request method on Apache/2.0.52

By default, Apache 2.0.52 will respond to any HTTP TRACE request that it receives. This is a potential security problem because it can allow certain types of XSS attacks. For details, see http://www.apacheweek.com/issues/03-01-24#news I am trying to disable TRACE requests by following the instructions shown in the page linked to above. ...

SQL injection - no danger on stored procedure call (on iSeries)?

I've done some searching around but I have a specific question on SQL Injection and hope I can get some input as I believe I may be getting the wrong end of the stick to do with field data sanitising etc :- I have a java program calling a stored procedure on an iSeries. The stored procedure has CL / RPG code behind the scenes. The store...

Using a `<textarea>` to protect against scripts

Hmm. Instead of "defanging" input or using some kind of regex to remove tags, how safe is it to dump user stuff into a <textarea>? For example, say there's a PHP page that does the following: echo '<textarea>'; echo $_GET['whuh_you_say'] ; echo '</textarea>'; Normally this is vulnerable to xss attacks, but in the textarea, all scrip...

How to allow Tomcat site permit cross site url

Hi, we would like to allow a url ref from a site running under Tomcat which accesses a another server running IIS (all internal/intranet). Could someone explain how we might permit this so the user does not get a warning in the browser (IE) and access is permitted. NB I don't know anything about Tomcat but need to pass the instructions f...

The sure way to protect against XSS?

I've looked through the questions and I haven't seen anyone ask this yet. What is the for sure method to remove any sort of XSS attempts in some user submitted content? I know that < and > should be converted to &lt; and &gt; respectively but I've heard mention that encoding differences can get around this too. Supposing a whitelist, ...

How can I read the page title of the parent page from an iframe?

I have a page that calls another page(on another server) and I want that page to read the title from the parent page. Is this possible or is there some security issue with this? ...

Is The Whitelist Configurable In The MS Anti_XSS Library 3.0?

I've just downloaded and taken a look at the new MS Anti_XSS 3.0 release. I've read through the help file, but I've found no mention of how to modify the whitelist it uses. Can items be added? Can items be removed? ...

Java Best Practices to Prevent Cross Site Scripting

I have go through the OWASP top ten vulnerabilities and found that Cross-Site Scripting is the one we have to take notes. There was few way recommended solutions. One has stated that Do not use "blacklist" validation to detect XSS in input or to encode output. Searching for and replacing just a few characters ("<" ">" and other similar c...

HTML Purifier - what to purify?

I am using HTML Purifier to protect my application from XSS attacks. Currently I am purifying content from WYSIWYG editors because that is the only place where users are allowed to use XHTML markup. My question is, should I use HTML Purifier also on username and password in a login authentication system (or on input fields of sign up pa...

Why does my JavaScript / jQuery interaction with a child window raise a "permission denied" error?

I have some code that I would swear was working a month ago. However, now the code throws a permission denied to get property Window.jQuery error. I can see this error in the Firefox error console. The code in question belongs to a window that was opened via JavaScript. This code attempt to update the contents of a DIV in the opening ...

JavaScript - Cross Site Scripting and Parent Window

Whew... I have asked several questions today until I have just now figured out what the problem actually is. The problem is related to cross-site scripting. Here is my scenario. I have a web application that launches a dialog window using window.open function in JavaScript. This window redirects the user to the Twitter OAuth login page....

JavaScript - Cross Site Scripting - Permission Denied

Hello, I have a web application for which I am trying to use Twitter's OAuth functionality. This application has a link that prompts a user for their Twitter credentials. When a user clicks this link, a new window is opened via JavaScript. This window serves as a dialog. This is accomplished like such: MainPage: <div id="promptDiv"><a...

JavaScript - window.location - Permission Denied - Cross Site Scripting

Hello, This question is a more specific description of the problem I asked on this thread. Basically, I have a web application for which I am trying to use Twitter's OAuth functionality. This application has a link that prompts a user for their Twitter credentials. When a user clicks this link, a new window is opened via JavaScript. T...

JSONP callback doesn't execute when running at localhost

This is bizarre, I was wondering if anyone could shed some light on why this happened. Basically, I've been pulling my hair out trying to test JSONP out so I can implement a JSON web service that other sites can use. I'm doing development on localhost--specifically, Visual Studio 2008 and Visual Studio 2008's built-in web server. So as...

.NET HTML whitelisting (anti-xss/Cross Site Scripting)

Hello, I've got the common situation where I've got user input that uses a subset of HTML (input with tinyMCE). I need to have some server-side protection against XSS attacks and am looking for a well-tested tool that people are using to do this. On the PHP side I'm seeing lots of libraries like HTMLPurifier that do the job, but I can'...

Is Markdown (with strip_tags) sufficient to stop XSS attacks?

I'm working on a web application that allows users to type short descriptions of items in a catalog. I'm allowing Markdown in my textareas so users can do some HTML formatting. My text sanitization function strips all tags from any inputted text before inserting it in the database: public function sanitizeText($string, $allowedTags = "...

How Does Google Global Login Work?

Whenever I login to one Google service, I am automatically logged in all their other websites on different domains. What I want to know is how they are able to access the disparate cookies and sessions that belong on another domain. I tried searching online but I couldn't find any information. I could probably pull out firebug and tr...

Cross site scripting(XSS)

I am loading content from another page and depending on the content of page, changing content of my page and this is giving me cross site scripting issues. When i use iframe, since the content is from other domain, content of iframe becomes inaccessible. When i use ajax and try to inject the content as plain html code, XmlHttpRequest o...

Any WYSIWYG Editor with XSS attack prevention?

We ve been using WYSIWYG Editor for more than i can remember. Easily pasting a javascript in this kind of editor make it a sitting duck for XSS attacks. Any one know any WYSIWYG Editor than integrated with XSS preventions? Solutions and suggestions are welcome. ...