security

问题 I have a website related to entertainment. So, I have thought to use a new method to prevent XSS Attack. I have created the following words list alert(, javascript, <script>,<script,vbscript,<layer>, <layer,scriptalert,HTTP-EQUIV,mocha:,<object>,<object, AllowScriptAccess,text/javascript,<link>, <link,<?php, <?import, I have thought that because my site is related to entertainment, So I do not expect from a normal user (other than malicious user) to use such kind of words in his comment. So,

问题 Recently I was working on a nodeJS project and I was thinking how to go about and implement the security module of my mobile application. I had a previous experience from OAuth 2.0 protocol which I used in C# projects in the past. In .NET there are two nice open source project https://github.com/thinktecture/Thinktecture.IdentityServer.v3 https://github.com/thinktecture/Thinktecture.AuthorizationServer The former is an Identity Provider supporting federated authentication and the later is an

问题 I am about to let some users publish articles on my site. To make it easier for them, I was thinking of using a CKeditor, let them have links, images, formating, etc ... However I was thinking of javascript. Can someone inject javascript or will CKeditor clean it up? Do I need my own filtering? 回答1: Content submitted by the user should always be checked, even if an application like CKeditor generates valid code. You can use HTMLPurifier for serverside sanitizing. 来源： https://stackoverflow.com

问题 I wonder if those prepared statements of PDO really increase security, or if they are just a "cheap" text-replace in the query. The point of prepared statements actually is, that whatever gets inserted as parameter, will not be parsed by the DBMS as part of the instructions itself, so a parameter like "'; DROP TABLE foobar;" has no effect and does not break the query. Does anyone know this in detail? I thought to use PDO with prepared statements for preventing sql injection. It turns out that

问题 Just now I tried Browser Link with Firefox 27.0.1 while debugging a simple ASP.NET MVC app. I have Visual Studio Ultimate 2013 Update 1. Here's Browser Link Dashboard: I tried changing something in a razor view, pressed Ctrl+S and went to the browser to see if the page had changed accordingly but... this is what i see in Firebug: http://localhost:6194/85d266397ee64f32b2f4ffdedc974643/arterySignalR/negotiate?requestUrl=http%3A%2F%2Flocalhost%3A26530%2Fgis&browserName=Firefox&clientProtocol=1.3

问题 I have a Flex swf hosted at http://www.a.com/a.swf. I have a flash code on another doamin that tries loading the SWF: _loader = new Loader(); var req:URLRequest = new URLRequest("http://services.nuconomy.com/n.swf"); _loader.contentLoaderInfo.addEventListener(Event.COMPLETE,onLoaderFinish); _loader.load(req); On the onLoaderFinish event I try to load classes from the remote SWF and create them: _loader.contentLoaderInfo.applicationDomain.getDefinition("someClassName") as Class When this code

问题 I need your opinions on this code for implementing a anti-spam solution: When page/form is generated, a random string is created, eg. like $string = md5($_SERVER['REMOTE_ADDR']) this string is inserted in the database, and set to expire after let's say 2 hours so we don't fill up database On page load, the form has a hidden input field with no value, let's name it spam_check 10, 15 or 20 secs after the page has loaded a AJAX request automatically fires off that attempts to retrieve that

问题 I am using the following to store values in the keychain: KeychainItemWrapper *keychain = [[KeychainItemWrapper alloc] initWithIdentifier:@"suggest" accessGroup:nil]; [keychain setObject:[object valueForKey:@"token"] forKey:(__bridge id)(kSecValueData)]; [keychain setObject:[object valueForKey:@"usr_id"] forKey:(__bridge id)(kSecAttrAccount)]; Here is my code for retrieving values: KeychainItemWrapper *keychain = [[KeychainItemWrapper alloc] initWithIdentifier:@"suggest" accessGroup:nil];

问题 I am building a client-side program that connects to a server. This client-side program needs to have the source code available to the users as part of the licencing (not an option). However, I need to ensure that when a user connects to the server with that client-side program, it's running with the original code and hasn't been altered and re-compiled. Is there any way to check during connection to the server that they're using an unaltered version of the program? 回答1: No, there's really no

问题 I am building a client-side program that connects to a server. This client-side program needs to have the source code available to the users as part of the licencing (not an option). However, I need to ensure that when a user connects to the server with that client-side program, it's running with the original code and hasn't been altered and re-compiled. Is there any way to check during connection to the server that they're using an unaltered version of the program? 回答1: No, there's really no