search for: xss

Haven''t been able to find a good enough answer on whether using sanitize() is enough to really protect me from XSS attacks I basically have a blog page that I want to allow people to display comments on but would like to allow html tags to be posted on the comments, these could html tags like the imageshack img tags, youtube player, photobucket img tags etc any other approaches or suggestions to this problem...

Hi! I wanna take a stab at implementing better XSS prevention for Rails. This time for real =) I''m wondering what would be the better way, clean everything up with tidy first and then do the rest with regexp or regexp all the way? Anybody done this before? Thanks! Ciao! Florian

Hello! Does anybody know of a Ruby implementation of a HTML sanitizer that prevents the attacks described on the xss cheatsheet? (http://ha.ckers.org/xss.html) I checked out the version Jamis wrote (http://dev.rubyonrails.com/ticket/1277), but that only covers the very basic attacks. Anybody? Just figured I would ask before, before I reinvent the wheel.. Ciao! Florian

Bob Hoffman wrote: > Since each install uses the same pages basically, it is easy for a autobot > to find them all and zero day your forums, xss your whatever, and so on. > > Dang scary to leave JS on at all....even though you basically have too. Mozilla is beginning to address this issue with Content Security Policy -=- http://people.mozilla.org/~bsterne/content-security-policy/ -=- CSP will require pro-active webmasters who use...

Synopsis ---------- Loofah::HTML::Document#text emits unencoded HTML entities prior to 0.4.6. This was originally by design, since the output of #text is intended to be used in a non-HTML context (such as generation of human-readable text documents). However, Loofah::XssFoliate''s default behavior and Loofah::Helpers#strip_tags both use #text to strip tags out of the output, meaning that the following input: &lt;script&gt;alert(''evil!'');&lt;/script&gt; would be rendered as <script>alert(''evil!''...

...e can be prevented by using the default configuration for the Apache HTTP web server (not exporting /perl-status). I haven't used <Location /perl-status> but Trustwave still finds me vulnerable. Evidence: Request: GET /perl- status/APR::SockAddr::port/"><script>alert('xss')</script> HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: www.mydomain.com Content-Type: text/html Content-Length: 0 Response: HTTP/1.1 404 Not Found Date: Mon, 07 Aug 2015 11:10:21 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Set-C...

On 06/12/2015 01:01 PM, Gordon Messmer wrote: > On 06/13/2015 11:11 AM, jd1008 wrote: >> All your browsing history, all cookies ...etc are open books >> as far as many javascripts are concerned. > > Javascript can use CSS attributes to see if you've visited a specific > URL, which is unfortunate, but that's a long way from saying that your > history is an open

Cross-Site scripting (XSS) attacks have been appearing lately, so I wrote up an article about one way to protect yourself. It''s pretty easy to use and, for those who care, I go into some of metaprogramming techniques I used to create it. Check it out at http://blog.explorationage.com/articles/2006/01/25/how-to-pro...

The rubyonrails-security announcement for CVE-2012-3465 "XSS Vulnerability in strip_tags" mentions that a work around for earlier versions should be attached, but there''s none, only patches for 3.0 series and up. Is the work around available? If so, where can I get hold of it? Thanks in advance, Peter -- Posted via http://www.ruby-forum.com...

Being new to testing and ruby, are there "standard" tests that can be done that test for things like cross site scripting and friends? If not, anyone have ideas on what I might do about testing those sorts of things? I''ll be using rails, also. Mike B. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging

Dear All, I couldn't figure and couldn't google out how to make construct a pair of \Sexpr s or a LaTeX macro that would include 5\cdot 10^{-12} into the LaTeX output istead of 5e-12 . Any ideas? Thank you G?bor

Hi, I'm Wellington from Brazil and I have the following issue: I've been working on a project a for a while, and I'm having trouble in using the loop (for) I need to read a column (c1), and for each value of this column, I need to check if it's within the control limits So, I was trying to do this: For (k in 1: c1) If (c1< lcl1 | c1 > ucl1) {here I

Hi, I'm running 3.0.4 and have had several reports from users both using Office and Lotus where the application tells them that the file is already in use when we know it isn't. (BTW, there's a typo on the man page under "lock spin count". "acquired", not "aquired".) Chris -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ Trinsic

After reading this security bulletin: http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?pli=1 I am a bit confused as to which patch I should apply. My application is currently running on a frozen copy of Rails 2.2.2. Reading the bulletin it appears that I should instead the 2-2-CVE-2009-3009.patch for the "2.2 series" of Rails. However, the patch introduces a

Sometimes in huge call volume am facing this type of error, [Jun 4 08:42:46] WARNING[8459][C-000079fa]: channel.c:5075 ast_write: Codec mismatch on channel Local/8038 at xss-call-out-00004774;1 setting write format to slin from ulaw native formats (ulaw) [Jun 4 08:43:04] WARNING[8285][C-000079da]: channel.c:5075 ast_write: Codec mismatch on channel Local/6513 at xss-call-out-00004775;1 setting write format to slin from ulaw native formats (ulaw) [Jun 4 08:43:10] WARN...

...e-branch: http://github.com/judofyr/camping/commits/proper_cookies I''ve tested it with Firefox + LiveHTTPHeaders and it seems to work fine. If anyone spots a bug, please comment on a commit (or scream out on IRC)! Oh, and _why has to decide if we should make the session-system completely XSS-proof, or be a little more relaxed. It doesn''t have to be XSS-proof as long as you keep the cookies secret (aka, escapes all Javascript). -- Magnus Holm

On 06/12/2015 11:25 AM, m.roth at 5-cent.us wrote: > jd1008 wrote: >> On 06/12/2015 07:28 AM, g wrote: >>> On 06/10/2015 03:56 AM, Always Learning wrote: >>>> I displayed, as a web page, a list of search results created in PHP, >>>> from MySQL. >>> i am still using 24.8.0 and do not have to contend with all the >>> bugs introduced by moz

This seems very simple, but I can''t quite get it. Probably because I''m just starting out with RoR. My view has a slew of labels and text fields; many are "required": <%= f.text_field :screen_name %> <span class="required_field">Required field</span> (The "required_field" class turns the text red and smaller.) I''d like to

You''ll need to install the ''openid'' gem for this, and require it in your camping app: class Login < R ''/login'' def get this_url = ''http:'' + URL(''/login'').to_s unless input.finish.to_s == ''1'' # start doing the auth here begin

...provided? I saw something in AWDWR about sanitize() - any comments/advice on that? One thing I''m considering is rendering it on the server side and providing an image of the rendered to the user - then I only have to worry about being compromised on my server instead of worrying about XSS attacks. Does that make sense? Any thoughts or advice is appreciated. Wes -- Posted via http://www.ruby-forum.com/.