If you think URLs can’t contain code, think again! https://owasp.org/www-community/xss-filter-evasion-cheatsheet Read that, and weep. Here’s how we do it on Stack Overflow: /// <summary> /// returns “safe” URL, stripping anything outside normal charsets for URL /// </summary> public static string SanitizeUrl(string url) { return Regex.Replace(url, @”[^-A-Za-z0-9+&@#/%?=~_|!:,.;\(\)]”, “”); }
httpOnly is supported as of Tomcat 6.0.19 and Tomcat 5.5.28. See the changelog entry for bug 44382. The last comment for bug 44382 states, “this has been applied to 5.5.x and will be included in 5.5.28 onwards.” However, it does not appear that 5.5.28 has been released. The httpOnly functionality can be enabled for all … Read more
This is because a few years ago Jeremiah Grossman found a very interesting vulnerability that affects gmail. Some people have addressed this vulnerabilty by using an unparseable cruft (Mr bobince’s technical description on this page is fantastic.) The reason why Microsoft is talking about this is because they haven’t patched their browser (yet). (Edit: Recent … Read more
XSS can be prevented in JSP by using JSTL <c:out> tag or fn:escapeXml() EL function when (re)displaying user-controlled input. This includes request parameters, headers, cookies, URL, body, etc. Anything which you extract from the request object. Also the user-controlled input from previous requests which is stored in a database needs to be escaped during redisplaying. … Read more
Here is an example that works on Chrome 5.0.375.125. The page B (iframe content): <html> <head></head> <body> <script> top.postMessage(‘hello’, ‘A’); </script> </body> </html> Note the use of top.postMessage or parent.postMessage not window.postMessage here The page A: <html> <head></head> <body> <iframe src=”B”></iframe> <script> window.addEventListener( “message”, function (e) { if(e.origin !== ‘B’){ return; } alert(e.data); }, false); … Read more
For PHP’s own session cookies on Apache: add this to your Apache configuration or .htaccess <IfModule php5_module> php_flag session.cookie_httponly on </IfModule> This can also be set within a script, as long as it is called before session_start(). ini_set( ‘session.cookie_httponly’, 1 );
When it comes to database queries, always try and use prepared parameterised queries. The mysqli and PDO libraries support this. This is infinitely safer than using escaping functions such as mysql_real_escape_string. Yes, mysql_real_escape_string is effectively just a string escaping function. It is not a magic bullet. All it will do is escape dangerous characters in … Read more
You have to wrap the entire url statement in the bypassSecurityTrustStyle: <div class=”header” *ngIf=”image” [style.background-image]=”image”></div> And have this.image = this.sanitization.bypassSecurityTrustStyle(`url(${element.image})`); Otherwise it is not seen as a valid style property
I apologise for replying to a super old question but after spending an hour wrestling with the above solutions I opted for simpler stuff. <script src=”..” one=”1″ two=”2″></script> Inside above script: document.currentScript.getAttribute(‘one’); // 1 document.currentScript.getAttribute(‘two’); // 2 Much easier than jQuery or URL parsing. You might need the polyfill for document.currentScript from @Yared Rodriguez’s answer … Read more
ReactJS is quite safe by design since String variables in views are escaped automatically With JSX you pass a function as the event handler, rather than a string that can contain malicious code so a typical attack like this will not work const username = “<img onerror=”alert(\”Hacked!\”)” src=”https://stackoverflow.com/questions/33644499/invalid-image” />”; class UserProfilePage extends React.Component { render() … Read more