xss

问题 In my java app I'm preventing XSS attacks. I want to encode URL and hidden field paramaters in the HttpServletRequest objects I have a handle on. How would I go about doing this? 回答1: Don't do that. You're making it unnecessarily more complicated. Just escape it during display only. See my answer in your other topic: Java 5 HTML escaping To Prevent XSS 回答2: To properly display user-entered data on an HTML page, you simply need to ensure that any special HTML characters are properly encoded as

问题 Is it possible to have compiler support to enforce the cleanup of data (XSS encoding)? This question got me thinking about double encoding and the other times when encoding is needed. Seems like it would work great for Linq, but possibly I may need this feature in other scenarios as well. Microsoft AntiXSS - Is there a need to Decode? 回答1: Yes, given a type system than is expressive and powerful enough, this is indeed possible. Ur/Web, for example, is a web application framework written in

问题 Ofbiz form: Need to escape characters from description column in a display-entity tag to avoid XSS attacks: <display-entity entity-name="Table" description="${description}" > I tried to use bsh, as following: <display-entity entity-name="Table" description="${bsh: org.apache.commons.lang.StringEscapeUtils.escapeHtml("${description}")}"> But I get this error: Error rendering screen [component://my/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalStateException: This object has been

问题 I am loading content from another page and depending on the content of page, changing content of my page and this is giving me cross site scripting issues. When i use iframe, since the content is from other domain, content of iframe becomes inaccessible. When i use ajax and try to inject the content as plain html code, XmlHttpRequest object throws permission denied exception due to cross site scripting. When i use JSONP, such as getJSON in JQuery, it only supports GET protocol and it is not

问题 I'm running Rails 4.2.x and I have the following problem. The <title> of some pages are generated from user content. So I have to use the sanitize Rails helpers to properly clean it up. But if the user writes something like "A & B", the title shown in browser is A & B which is wrong. What's the correct way of escaping user content on the <title> tag using Rails? At least some special characters should be included... 回答1: We can use CGi also title = "A & B" => "A & B" string = CGI.escapeHTML

问题 I'm running Rails 4.2.x and I have the following problem. The <title> of some pages are generated from user content. So I have to use the sanitize Rails helpers to properly clean it up. But if the user writes something like "A & B", the title shown in browser is A & B which is wrong. What's the correct way of escaping user content on the <title> tag using Rails? At least some special characters should be included... 回答1: We can use CGi also title = "A & B" => "A & B" string = CGI.escapeHTML

问题 Hi I am at prototype stage with my site. I read the html purifier main page and questions about this library in this site but I am still not clear with the issue on my mind. Can you guide me please? Thanks, BR My Understanding: From the docs I have read, I understood that the best I can do is: to use mysqli_real_escape_string while inputting untrusted data into my mysql database to use html purifier library while outputting data from mysql database to sscreen as html My Questions Q1) Does my

问题 Some professional pentester guy told me this xss test vector is useless for pentest.And the payload seems like this: <meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"> but when i'm save the code to a HTML file with more powerful javascript like hook.js (from beef exploit framework). <meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28

问题 I have this php code and my CMS security auto-test says it's a XSS attack. Why and How can I fix this? $url = "news.php"; if (isset($_GET['id'])) $url .= "?id=".$_GET["id"]; echo "<a href='{$url}'>News</a>"; 回答1: It's XSS (cross site scripting) as someone could call your thing like this: ?id='></a><script type='text/javascript'>alert('xss');</script><a href=' Essentially turning your code into <a href='news.php?id='></a><script type='text/javascript'>alert('xss');</script><a href=''>News</a>

问题 I have a page that calls another page(on another server) and I want that page to read the title from the parent page. Is this possible or is there some security issue with this? 回答1: You cannot communicate across servers like that. 回答2: You can use JavaScript to access the parent: window.parent.document.title 回答3: Call page A the caller page (with the JavaScript on it, the one requesting the title) and page B the page you want the title of. Can you make a third page C (hosted on any server