xss

Do I need to escape characters when sending emails?

I'm using Django Contact Form on a website to allow visitors to send emails. Currently, it's escaping characters, so single and double quotation marks are converted to ' and " respectively. The emails would be more readable if quotation marks were displayed as ' and ". I understand why I should never put unescaped input from ...

How to handle XSS on NVelocity

Castle Project is full of features, includes some awesome subprojects, and developing with it has been a pleasure. My team is almost ready to deliver a custom made EAM and we are polishing our system. We tried some basic XSS attacks and guess: They all worked. Even though it will be running in a Intranet environment, we wouldn't like u...

Is checking the referrer enough to protect against a CSRF attack?

Is checking the referrer enough to protect against a cross site request forgery attack? I know the referrer can be spoofed, but is there any way for the attacker to do that FOR the client? I know tokens are the norm, but would this work? ...

Avoiding XSS vulnerabilities - whitelist?

What are the best practices to prevent XSS vulnerabilities? A lot of people on here have mentioned whitelists which sounds like a good idea, but I see many people define the whitelist using a RegEx. This seems inherently flawed because it depends on many factors, the least of which is the RegEx implementation and the skill of the perso...

how can I deactivate cross-site scripting defense on my own browser?

I want to load a page from a domain inside an iframe in another domain's page, and then access its content with JS. of course, this would be XSS so I'd get the "Permission denied to get property HTMLDocument..." error. The thing is, I want to do this on my own browser, not in a public access site (i.e. I don't need it to protect me from ...

XSS attack in a window.open popup

We faced an XSS attack in an iframe which we ship to our customers. Owing to senstivity of iframes we decided to go for Window.open method. Below is a sample attached JS which sits in customer's space. Can anyone enlighten on how it is vulnerable to XSS <p> <script type="text/javascript"> function invokeVidteqPopup() { window.open('htt...

character encoding problem - cross-domain scripting

Hello, I have an Asp.Net web app which users include a script tag in their web page, and get data from my server (using JsonP & a Generic handler (ashx)) The data is in hebrew, and I set the charset to utf-8 in the response. When the client web site (which displays the data) uses "windows-1255" I don't see the text properly. The sc...

Are Flex/Flash Based applications susceptible to XSS attacks? what are the various ways in which such attacks can happen?

Are Flex/Flash based applications susceptible to XSS attacks,what are the different ways in which the attack can happen and how to prevent/detect such attacks. ...

ASP.Net Debugging, proxy path to seperate domain?

Right now I have a rather annoying framework that requires a set of php/asp pages and a CGI executable to run. This thing is annoying enough to set up (licensing server, persistent processes, IIS configuration hell, etc) that it isn't practical to setup a local IIS server. I am wondering if there is an easy way to proxy all requests of...

Allow Javascript - protect against XSS? (unique scenario)

I'm in the process of building an application (a CMS to be more specific) which allows users to add Javascript to their content. There really is no way around allowing Javascript, and because of it, some security concerns are now becoming quite apparent. What we're mainly concerned about is cookie theft. To explain the system a bit more...

overriding GetSecurityId in IInternetSecurityManager

I have built an executable which launches a dialog box in which is embedded the IE web browser active-x control (C++). I want this control to allow cross site scripting. One frame on the web page loads local html, the other loads from a server. I then want the server page to call a javascript function that lives in the local html file...

IE8 XSS Filter Question

The IE8 cross site scripting filter seems to be causing some intermittent issues with our app. To be honest, I have not yet isolated it, and it may very well be some sort of IE8 add-on, or, some security software, but there seems to be at least some relationship to the new xss filter in IE8. I have done some preliminary research, and th...

Ajax Control Toolkit Editor Control - avoiding XSS attacks

I noticed in this article that Microsoft does not recommend using the Editor control from the Ajax Control Toolkit in public sites because of the danger of cross-site scripting attacks. I tried it out, and even if you specifically set NoScript="true" it's possible to add script, and therefore, introduce XSS attack vulnerabilities. In m...

Executing Javascript in iFrame from Parent

Hello, Just a heads up I am a semi noob at JavaScript. So for the past two days I have been googleing and for the life of me I cannot figure out how to execute a function in an iframe from the parent page. The page in the iframe is on a different domain and the code to be executed is usually executed via a link, but I want it to be exec...

Regex to detect Javascript In a string

Hello I am trying to detect JavaScript in my querystrings value. I have the following c# code private bool checkForXSS(string value) { Regex regex = new Regex(@"/((\%3C)|<)[^\n]+((\%3E)|>)/I"); if (regex.Match(value).Success) return true; return false; } This works for detecting <script></sc...

Regex to remove onclick="" attributes from HTML elements in ASP.NET C# (Server-side)

I'm trying to write a regex function to remove onclick (also onload, onmouseover etc.) attributes from HTML elements. I want to do this on the server side before the HTML is sent to the client. I have content coming from a Rich Text editor and being displayed on screen in a div, and I want to protect against XSS (Cross Site Scripting). ...

How does Google Friend Connect accomplish cross domain communication without needing to upload a file to the client domain?

Previously, Google's Friend Connect required users to upload a couple of files to their websites to enable cross domain communication and Facebook Connect still requires you to upload a single file to enabled it. Now, Friend Connect doesn't require any file upload... I was wondering how they were able to accomplish this. Reference: htt...

ASP.NET User Controls, ObjectDataSources, and XSS

I am working on a web project which includes a user control (.ascx) which is housed in a repeater on the containing .aspx page. There is a DataList on the user control which is dynamically bound in the code behind. Such that the parent page/repeater assigns the data (a List) to a property on the user control, which then assigns that sour...

Synchronous cross sub-domain POST request with jQuery

I'm trying to do a cross domain POST request and have hit a wall (or two). I can't put a proxy page on the server - so that is not an option. I have researched getJSON, which works great except that I need to POST not GET. Is it possible to do this? If it is not, can someone explain to me how getJSON works and why I cannot make a POST...

Sanitize input XSS and HTML input in rails

I know I can use the ActionView helper strip_tags method in my views to sanitize output, but what is the best way to sanitize user input before I persist it to my db? Should I find a way to include the view helper in my controller and reuse the strip_tags method? I thought rails would have something available globally to do something l...