For HTML input, I want to neutralize all HTML elements that have inline js (onclick="..", onmouseout=".." etc). I am thinking, isn't it enough to encode the following chars? =,(,) So onclick="location.href='ggg.com'" will become onclick%3D"location.href%3D'ggg.com'" What am I missing here? Edit: I do need to accept active HTML (I...
In Freemarker templates we can use the escape directive to automatically apply an escaping to all interpolations inside the included block: <#escape x as x?html> <#-- name is escaped as html --> Hallo, ${name} </#escape> Is there a way to programmatically achieve a similar effect, defining a default escape applied to all interpola...
What are the practices to prevent XSS in Ruby on Rails? I found many old docs on the web and most of the time it was all about using h/html_escape helper to escape any variable that comes from users. I understood from newer docs that in the version 2.0 and above there is sanitize method that is automatically cleaning the input from su...
I have a site where I'm moving all its components over to a cookieless domain. i.e. my site is example.org.uk and the cookieless domain is examplestatic.me.uk. I am using FCKEditor as a part of this site, but it doesn't load properly when I set the source to examplestatic.me.uk/fckeditor/fckeditor.js. How can I get FCKEditor to work on...
It seems ridiculous (and a violation of DRY) to have to type the h method all over the place in your view code to make it safe. Has anyone come up with a clever workaround for this? ...
I've got a page which it has been requested I allow some user customization via CSS. I'm happy to do this, but am trying to figure out how to make it secure. There aren't many stylesheets that will be applied to the page, but I had originally thought that if I just checked that the page was a css extension that I would be safe. Howe...
I'm planning on making a web app that will allow users to post entire web pages on my website. I'm thinking of using HTML Purifier but I'm not sure because HTML Purifier edits the HTLM and it's important that the HTML is maintained just how it was posted. So I was thinking making some regex to get rid of all script tags and all the javas...
I have a .NET Webforms site thanks needs to post to my MVC Application which currently sits inside the Webform site as a separate application. The Webform application need to POST some sensitive values to the MVC Application. Is there a way to generate a AntiForgeryToken() in my WebForms Application so it can be passed with the form po...
Hi, Does anyone know of a good function out there for filtering generic input from forms? Zend_Filter_input seems to require prior knowledge of the contents of the input and I'm concerned that using something like HTML Purifier will have a big performance impact. What about something like : http://snipplr.com/view/1848/php--sacar-xss/ ...
What test text do you try and type into your web forms to check that they handle all the edge cases properly (esp unicode and xss style problems). I am particularly interested in good unicode strings that maybe do something odd if they are mis-encoded when they are displayed again. Text that contains potentially problematic characters...
I've seen plenty of Cross-Site Scripting attack prevention suggestions, but I'm not asking about Form Input validation. How would I prevent something like this: javascript:(function(i,j){with(document){for(i=0;i<forms.length;++i){with(forms[i]){for(j=0;j<elements.length;++j){elements[j].disabled=false}}}}})() from being inserted into ...
Searching for possible ways to get cookie with httpOnly enabled, I cannot find any. But then again, how do browser addons like Firebug, Add 'N Edit Cookie, etc. can get the cookies? Can't an attacker do the same? So my question is, is it really, really impossible to get cookie of httpOnly enabled requests, using javascript? p/s: Yes I'...
Hi, I am looking to create a web widget that can be easily integrated into any website using javascript and posts a form to my server, returns the data and displays the results appropriately. This will all happend in a small area of the host websites screen, like google adsense. I am aware that this is XSS and also the cross domain issu...
A 3rd party web application has a cross-scripting security issue. There is one page with three fields which are not sanitized. The vendor will not provide a timely fix and I need to. The application is running in Tomcat and uses Struts 1. The action for the bad page looks like this: <action path="/badpage" type="com.badvendor.Ba...
I am working on finding a good way to make user submitted data, in this case allow HTML and have it be as safe and fast as I can. I know EVERY SINGLE PERSON on this site seems to think http://htmlpurifier.org is the answer here. I do agree partially. htmlpurifier has the best open source code out there for filtering user submitted H...
He guys, I just read this post about really nasty (and cool at the same time) ways to perform XSS. However, there is still something unclear to me. I understand the full concept of the attack, however, I dont see how this can potentially be exploited. The "action" attribute inside the form must point to a ftp server (or any other serve...
Users can edit "articles" in my application. Each article is mastered in the DB and sent to the client as Markdown -- I convert it to HTML client side with Javascript. I'm doing this so that when the user wants to edit the article he can edit and POST the Markdown right back to the server (since it's already on the page). My question i...
I'm evaluating the Microsoft Anti-Cross Site Scripting Library (AntiXSS V3) I have to say it seems to me that apart from providing a more comprehensive white list of acceptable characters, it's not really bringing anything to the party that a diligent programmer who encoded all his user/agent modifiable output wouldn't be doing anyway. ...
I understand the basic ideas of XSS and same-origin-policy, so if your knee jerk reaction is to school me on the basics, you can jump ahead at least a half step... If javascript is client-side, at what point is an http request submitted via XMLHttpRequest distinguished from a user submitting a request via a form submit button? Here's m...
Hello, Firstly, I do not have any malicious intent out of this question. I would like to know what text to copy paste and test in my text areas and text boxes to see if they are stripped correctly. Currently I use something as limited as: <script> alert('xss'); </script> <a href="www.test.com" onclick="javascript:alert('xss');">test</...