Displaying 20 results from an estimated 2000 matches similar to: "HTML sanitizer"
2006 Jan 09
3
XSS prevention with Rails
Hi!
I wanna take a stab at implementing better XSS prevention for Rails.
This time for real =)
I''m wondering what would be the better way, clean everything up with
tidy first and then do the rest with regexp or regexp all the way?
Anybody done this before?
Thanks!
Ciao!
Florian
2007 Sep 27
6
Security + Rails =Joke?
Hi,
http://dev.rubyonrails.org/ticket/8453
http://dev.rubyonrails.org/ticket/8371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227
I came across the above by accident. While I am subscribed to the so
called rails security list where supposed announcement of security
issues were to be posted, neither of the above problem made the list.
While I use rails a lot and like it, the above
2006 May 05
4
Is sanitize() strong enough to protect me from XSS?
Haven''t been able to find a good enough answer on whether using
sanitize() is enough to really protect me from XSS attacks
I basically have a blog page that I want to allow people to display
comments on but would like to allow html tags to be posted on the
comments, these could html tags like the imageshack img tags, youtube
player, photobucket img tags etc
any other approaches or
2008 Mar 15
1
Javascript in URLs (was: Markdown doesn't always generate XHTML)
On Fri, Mar 14, 2008 at 11:22 PM, Michel Fortin
<michel.fortin at michelf.com> wrote:
>
> "Safe mode" you say?
Yeah, well, I didn't paint that bike shed.
>
> PHP Markdown also has a no-markup mode which would filter script tags
> and any other HTML tags. But this doesn't prevent anyone from
> inserting their own script on the page. Do you know you can
2006 May 11
3
sanitize dangers
I''ve noticed that it is possible to pass javascript unaltered through
the sanitize function using CSS. For example:
sanitize( "<style
type=''text/css''>body{background-image:url(''javascript:window.alert(1)'')
}</style>" )
IE will execute the javascript. Firefox will not. I haven''t tried it
with any other browsers.
2015 Aug 11
4
Apache mod_perl cross site scripting vulnerability
Hello,
I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The
Red Hat Security Response Team has rated this issue as having moderate
security impact and bug as wontfix.
Explanation: The vulnerability affects non default configuration of
Apache HTTP web server, i.e cases, when access to Apache::Status and
Apache2::Status resources is explicitly allowed via <Location
2008 Jun 06
2
Messy Cookies
It looks like everyone has tried to fix the cookies lately, and no-one managed
to get it 100% correctly.
The current implementation doesn''t set the path correctly, and you can''t use
@cookies in a #service-overload.
Qwzybug''s patch fixed only the sessions.
Jenna''s patch won''t allow to set complex cookies (@cookies.key = {:path =>
"/path",
2006 Feb 01
4
REXML::ParseException - but the feed IS valid
I am using Ruby feedparser and when I try to parse this feed:
http://feeds.feedburner.com/Mobilecrunch
I get an error:
REXML::ParseException: Declarations can only occur in the doctype
declaration.
This feed does validate at feedvalidator.org. Any idea why it would raise
an exception?
Thanks,
eduard
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
2012 Dec 18
1
off-topic: firefox & noscript
Not a biggie, but definitely annoying: I try to register for a media site,
so I can put in a comment, and every time I hit "register", noscript pops
up telling me it's protecting me from cross-site scripting... and if it's
giving me any way to say, "that's ok for this site", I don't see it. I've
tried typing in a pattern for xss, and no joy.
Clues for the
2009 Mar 22
2
Backporting and Apache 2.0.52 is 4 1/2 years old
http://httpd.apache.org/security/vulnerabilities_20.html
states that Apache 2.0.52 is 4 years old and the latest version is 2.0.68.
i am no longer a httpd expert, but at least one of the security fixes
involves XSS attacks via malformed ftp commands. I also realize that
redhat / centos may patch things separately from Apache and that the
sysadmin has a great deal to do with how secure things
2006 Apr 18
4
Security considerations with displaying uploaded HTML
I have an application where I am allowing users to upload (or refer the
app. to) arbritrary HTML that I am (currently) displaying in an IFRAME
on a page. The users will be authenticated so it''s not open to the
entire universe.
I was always uneasy with this, but after reading the security chapter of
AWDWR, I am even more concerned.
What kinds of applications do people have out there
2004 May 25
1
Share violation on file error
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
I see some strange errors on a samba-3.0.2a PDC and fileserver
running under Linux.
Every now and then users are not able to access some random file.
Windows tells the user that the "file is already opened"
or some similar error message (it's an error message in german)
The files are varying, I see all kinds of filenames where
2019 May 22
3
HTTPS warning on developer.r-project.org
[Please CC me on replies, as I am not subscribed.]
Dear R folks,
Accessing the *R Developer Page* [1], the browser (Firefox) shows an
HTTPS warning.
The reason is the embedded Google logo.
> Gemischte (unsichere) Anzeige-Inhalte von "http://www.google.com/logos/Logo_40wht.gif" werden auf einer sicheren Seite geladen
Could you change that to an HTTPS link please?
```
$ curl -I
2015 Apr 06
5
Hoja de Referencia (CheatSheet) para "gglplot2" traducida al español...
Hola,
Durante esta pasada Semana Santa, Santiago Mota y yo mismo hemos traducido
al español la cheatsheet de "ggplot2" que recientemente publicó RStudio.
Nos acaban de comunicar que la hoja de referencia ya está disponible:
http://www.rstudio.com/resources/cheatsheets/
--
Saludos,
Carlos Ortega
www.qualityexcellence.es
[[alternative HTML version deleted]]
2006 Aug 03
9
Rails Cheatsheets!!!
Hey if you know any rails cheatsheet link add it inot the follwing list,
lets make a long list on Rails cheatsheet.... ;)
1)
2)
3)
4)
.
.
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060103/a6eea2ac/attachment-0001.html
2008 Jan 04
7
1.6 cheatsheet
Hey has anyone seen a 1.6 cheatsheet around?
Johnathan Snook did a nice 1.5 one but I''ve been working with 1.6 for a
while and while I can use prototypejs.org, cheatsheets are handy for jogging
memories..
I checked his blog, nothing there for 1.6.
Gareth
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
2013 Feb 18
4
PROPOSAL: Remove SWAT in Samba 4.1
As most of you would have noticed, we have now had 3 CVE-nominated
security issues for SWAT in the past couple of years.
At the same time, while I know many of our users use SWAT, we just don't
have anybody to maintain it inside the Samba Team. Kai has made a
valiant effort to at least apply the XSS and CSRF guidelines when folks
make security reports, but by his own admission he isn't a
2006 Jul 28
1
Nasty pitfall: don''t use ^ and $ in validation regexes!
Let''s say you want to validate that an attribute contains only 2-10
lowercase characters, e.g. with validates_format_of. The appropriate
regex is obviously /^[a-z]{2,10}$/, right?
Wrong! Try it with "abc\nANYTHING YOU LIKE" - this is perfectly valid.
On the second look the reason is clear: ^ matches the start of a line, $
matches the end of a line. So as long as one line in
2006 Jan 25
1
Protecting Your Apps against Cross Site Scripting Attacks
This has been in the news lately, so I wrote up an article about a
method I use to protect my app against XSS attacks. It''s easy to use
if you don''t care how it works, and I go through some of the
metaprogramming techniques I used if you do. Check it out:
http://blog.explorationage.com/articles/2006/01/25/how-to-protect-your-rails-apps-against-cross-site-scripting-attacks
2012 Dec 12
0
Sanitize for style attributes
It''s really confusing to decide whether sanitize will help avoid XSS in
case when :attributes => %w( style )
on stackoverflow, people say that it is not safe, yet the examples they
give such as
style="background-image: url(javascript:[code]);"
is being filtered out using sanitize and all that is left is style=""
is there a way to get a definite answer if