xss

问题 im using socket.io in expressjs 3. And i want to sanitize incoming messages with express-validator. I have this code: var expressValidator = require('express-validator') , sanitize = require('express-validator').sanitize; socket.on('chat', function (data) { io.sockets.in('test').emit('chat', { user: sh.session.user, message: data.message, time: new Date() }); }); how do i use sanitize(data.message).xss ? Because this does not work. 回答1: In this case you want to use validator instead of

问题 Is it possible to detect external scripts that might be loaded into a page by browser add-ons, a proxy, xss, etc? Say I have this web page: <html> <head> <title>Hello world!</title> <script src="http://mydomain.com/script.js"></script> </head> <body> Hello world! </body> </html> Would it be possible to include some script in my script.js file that would detect when other script elements on the page do not originate from http://mydomain.com ? I want something that could detect other scripts

问题 Is it safe to call jQuery's $.getJSON() with a URL argument that came from an untrusted source, such as another user? In other words, is it safe to call $.getJSON() with an untrusted URL? I will be careful not to trust the response and to handle the response safely, but does the call itself pose a security risk? In other words, I'm talking about something like: $.getJSON(url_from_user, function(...) { ... handle response safely ...}); or $.getJSON('http://evil.com/foo.json', function(...) {..

问题 What's the best library/approach for removing Javascript from HTML that will be displayed? For example, take: <html><body><span onmousemove='doBadXss()'>test</span></body></html> and leave: <html><body><span>test</span></body></html> I see the DeXSS project. But is that the best way to go? 回答1: JSoup has a simple method for sanitizing HTML based on a whitelist. Check http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer It uses a whitelist, which is safer then the blacklist approach

问题 I need to prevent XSS attacks as much as possible and in a centralized way so that I don't have to explicitly sanitize each input. My question is it better to sanitize all inputs at URL/Request processing level, encode/sanitize inputs before serving, or at the presentation level (output sanitization)? Which one is better and why? 回答1: There are two areas where you need to be aware: Anywhere where you use input as part of a script in any language, most notably including SQL. In the particular

问题 I've looked through the questions and I haven't seen anyone ask this yet. What is the for sure method to remove any sort of XSS attempts in some user submitted content? I know that < and > should be converted to < and > respectively but I've heard mention that encoding differences can get around this too. Supposing a whitelist, what are all the steps to completely clean some user submitted content to ensure that no XSS vulnerabilities exist? 回答1: There is no absolute security concering XSS

问题 By using HttpRequestValidationException, does it necessarily protect you against all cross-scripting threats? Are there situations where a potentially dangerous script might manage to go undetected? 回答1: No, in short it doesn't. Please decompile it using reflector and see what it does. An attack on an html attribute could be: " onfocus=alert(1) autofocus There are no < or > in this yet it still works. Please use AntiXss and check the OWASP XSS prevention cheat sheet. So you need to pay

问题 I have implemented a search engine in C for my html website. My entire web is programmed in C. I understand that html input sanitization is necessary because an attacker can input these 2 html snippets into my search page to trick my search page into downloading and displaying foreign images/scripts (XSS): <img src="path-to-attack-site"/> <script>...xss-code-here...</script> Wouldn't these attacks be prevented simply by searching for '<' and '>' and stripping them from the search query ?

问题 I have a web application for which I am trying to use Twitter's OAuth functionality. This application has a link that prompts a user for their Twitter credentials. When a user clicks this link, a new window is opened via JavaScript. This window serves as a dialog. This is accomplished like such: MainPage: <div id="promptDiv"><a href="#" onclick="launchDialog('twitter/prompt.aspx');">Provide Credentials</a></div> ... function launchDialog(url) { var specs = "location=0,menubar=0,status=0

问题 So I have the following code: var element = document.getElementById("myCanvas"); var width = element.width; var height = element.height; var context = element.getContext("2d"); /* test 1 */ var img1 = new Image(width, height); img1.src = "http://www.mydomain.com/image.jpg"; document.body.appendChild(img1); // <-- A: this works context.drawImage(img1,0,0,width,height); // <-- B: this works /* test 2 */ var img2 = new Image(width, height); img2.src = "http://www.notmydomain.com/image.jpg";