xss

问题 We're building an app, our first using Rails 3, and we're having to build I18n in from the outset. Being perfectionists, we want real typography to be used in our views: dashes, curled quotes, ellipses et al. This means in our locales/xx.yml files we have two choices: Use real UTF-8 characters inline. Should work, but hard to type, and scares me due to the amount of software which still does naughty things to unicode. Use HTML character entities (’ — etc). Easier to type, and probably more

问题 We're building an app, our first using Rails 3, and we're having to build I18n in from the outset. Being perfectionists, we want real typography to be used in our views: dashes, curled quotes, ellipses et al. This means in our locales/xx.yml files we have two choices: Use real UTF-8 characters inline. Should work, but hard to type, and scares me due to the amount of software which still does naughty things to unicode. Use HTML character entities (’ — etc). Easier to type, and probably more

问题 I am implementing an XSS filter for my web application and also using the ESAPI encoder to sanitise the input. The patterns I am using are as given below, // Script fragments Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE), // src='...' Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // lonely

问题 I've launched an application last week and have noticed since that in Chrome only the height of my canvas is not always adjusted. I've spent a bunch of hours looking at the issues and noticed that I get the following error - sometimes. Unsafe JavaScript attempt to access frame with URL https://apps.facebook.com/tabletr/ from frame with URL http://static.ak.facebook.com/connect/canvas_proxy.php?version=3#behavior=p&method=getPageInfo&params=%7B%22channelUrl%22%3A%22https%3A%2F%2Fs-static.ak

问题 I am using htmlspecialchars() function to prevent XSS attacks. I have doubt regarding what is the better method to store the data in database from following. Method 1 : Store the user input values after applying htmlspecialchars() function. Using this it user input "<script>" will become "<script>" . Method 2 : Store the user input as it is and apply htmlspecialchars() method while retrieving the data and displaying it on the page. The reason for my doubt is that I believe using method 1

问题 This question already has answers here : How can I sanitize user input with PHP? (17 answers) Closed 6 years ago . i want to check my data from the user for XSS and SQL injection and this is how i tried if (isset($_GET['membernumber'])) { $mem = htmlentities($_GET['membernumber']); $memberparamter = cleanData($mem); } But which method is the best/correct way to check? Method 1 function cleanData($data) { $data=mysql_real_escape_string($data); $data=trim($data); $data=stripcslashes($data);

问题 I would appreciate an answer to settle a disagreement between me and some co-workers. We have a typical PHP / LAMP web application. The only input we want from users is plain text. We do not invite or want users to enter HTML at any point. Form elements are mostly basic input text tags. There might be a few textareas, checkboxes etc. There is currently no sanitizing of output to pages. All dynamic content, some of which came from user input, is simply echoed to the page. We obviously need to

问题 I would appreciate an answer to settle a disagreement between me and some co-workers. We have a typical PHP / LAMP web application. The only input we want from users is plain text. We do not invite or want users to enter HTML at any point. Form elements are mostly basic input text tags. There might be a few textareas, checkboxes etc. There is currently no sanitizing of output to pages. All dynamic content, some of which came from user input, is simply echoed to the page. We obviously need to

问题 Is it possible to make AJAX-calls (e.g. using jQuery.ajax() ) from local html/js file (e.g. file://home/a.html) to the remote server (e.g. http://domain:8080/api)? If yes, how to enable such XSS (e.g. in FF3)? I suppose it's some browser's security settings, but can't find which ones. And suppose there is an answer without any server-side changes (such as JSONP). Thanks. Code snippet: function foo(){ $.ajax({ type: "POST", url: "http://localhost:8080/api", data: "Hello world", success:

问题 Is it possible to make AJAX-calls (e.g. using jQuery.ajax() ) from local html/js file (e.g. file://home/a.html) to the remote server (e.g. http://domain:8080/api)? If yes, how to enable such XSS (e.g. in FF3)? I suppose it's some browser's security settings, but can't find which ones. And suppose there is an answer without any server-side changes (such as JSONP). Thanks. Code snippet: function foo(){ $.ajax({ type: "POST", url: "http://localhost:8080/api", data: "Hello world", success: