similar to: Protecting Your Apps against Cross Site Scripting Attacks

Cross-Site scripting (XSS) attacks have been appearing lately, so I wrote up an article about one way to protect yourself. It''s pretty easy to use and, for those who care, I go into some of metaprogramming techniques I used to create it. Check it out at http://blog.explorationage.com/articles/2006/01/25/how-to-protect-your-rails-apps-against-cross-site-scripting-attacks Justin p.s. My

Hello, I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The Red Hat Security Response Team has rated this issue as having moderate security impact and bug as wontfix. Explanation: The vulnerability affects non default configuration of Apache HTTP web server, i.e cases, when access to Apache::Status and Apache2::Status resources is explicitly allowed via <Location

Being new to testing and ruby, are there "standard" tests that can be done that test for things like cross site scripting and friends? If not, anyone have ideas on what I might do about testing those sorts of things? I''ll be using rails, also. Mike B. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging

Haven''t been able to find a good enough answer on whether using sanitize() is enough to really protect me from XSS attacks I basically have a blog page that I want to allow people to display comments on but would like to allow html tags to be posted on the comments, these could html tags like the imageshack img tags, youtube player, photobucket img tags etc any other approaches or

Hello! Does anybody know of a Ruby implementation of a HTML sanitizer that prevents the attacks described on the xss cheatsheet? (http://ha.ckers.org/xss.html) I checked out the version Jamis wrote (http://dev.rubyonrails.com/ticket/1277), but that only covers the very basic attacks. Anybody? Just figured I would ask before, before I reinvent the wheel.. Ciao! Florian

On Tue, Aug 11, 2015 at 4:46 AM, Proxy One <proxy-one at mail.ru> wrote: > I haven't used <Location /perl-status> but Trustwave still finds me > vulnerable. > [...] > Response: HTTP/1.1 404 Not Found You clearly aren't serving perl-status; that's a red herring here. [...] > Body: contains

How about something like: <Location /perl-status> # disallow public access Order Deny, Allow Deny from all Allow from 127.0.0.1 SetHandler perl-script PerlResponseHandler Apache2::Status </Location> 2015-08-11 14:46 GMT+03:00 Proxy One <proxy-one at mail.ru>: > Hello, > > I've failed latest PCI scan because of

Chris Lattner <clattner at apple.com> writes: > The problem that I have with this sort of higher order metaprogramming Metaprogramming? This isn't template metaprogramming if that's what you mean. > in C++'98 is that you're trading one set of complexity for another. What's the other complexity? -Dave

We''re working on a new series of applications called "RealApps" - simple plugins and components add functionality to Rails applications. We just posted an article describing the first one - a content management system. We also go into the business case behind the design we chose. Good stuff for programmers to know - especially if you are doing paid client work. It

On 2015-Aug-11 19:57, Ellen Shull wrote: > On Tue, Aug 11, 2015 at 4:46 AM, Proxy One <proxy-one at mail.ru> wrote: > > > I haven't used <Location /perl-status> but Trustwave still finds me > > vulnerable. > > > [...] > > Response: HTTP/1.1 404 Not Found > > You clearly aren't serving perl-status; that's a red herring here. Indeed,

Hi! I wanna take a stab at implementing better XSS prevention for Rails. This time for real =) I''m wondering what would be the better way, clean everything up with tidy first and then do the rest with regexp or regexp all the way? Anybody done this before? Thanks! Ciao! Florian

It looks like everyone has tried to fix the cookies lately, and no-one managed to get it 100% correctly. The current implementation doesn''t set the path correctly, and you can''t use @cookies in a #service-overload. Qwzybug''s patch fixed only the sessions. Jenna''s patch won''t allow to set complex cookies (@cookies.key = {:path => "/path",

Hello, Say I want to make a multiple regression model with the following expression: lm(y~x1 + x2 + x3 + ... + x_n,data=mydata) It gets boring to type in the whole independent variables, in this case x_i. Is there any simple way to do the metaprogramming for this? (There are different cases where the names of the independent variables might sometimes have apparent patterns or not)

I''m pleased to announce the release of Cross Site Sniper 0.2. Cross Site Sniper is one more addition to the ever growing list of tools that attempt to provide a convenient and DRY method to protect Rails sites from Cross Site Scripting (XSS) attacks. There are many plugins and tools out there that attempt to address this issue, but none of them met my requirements. So, I created

On Jul 15, 2011, at 1:57 PM, David A. Greene wrote: > Chris Lattner <clattner at apple.com> writes: > >> On Jul 15, 2011, at 12:35 PM, David Greene wrote: >> >>> I've run into a use case where I'd like to use a mapped_iterator to >>> iterator the 1st (or 2nd) items in a sequence of std::pairs. Does >>> select1st/select2nd exist

My belief is that this is not possible, but there are many extremely knowledgeable people participating on this list and I would like to know if it is in fact possible. I am running CentOS 5.3 (32 bit) fully updated. Browser is Mozilla Firefox v.3.0.7. I believe both times this happened, once yesterday and once today, I was surfing on the web site of my favorite singer/musical group; or in the

Not a biggie, but definitely annoying: I try to register for a media site, so I can put in a comment, and every time I hit "register", noscript pops up telling me it's protecting me from cross-site scripting... and if it's giving me any way to say, "that's ok for this site", I don't see it. I've tried typing in a pattern for xss, and no joy. Clues for the

I''ve noticed that it is possible to pass javascript unaltered through the sanitize function using CSS. For example: sanitize( "<style type=''text/css''>body{background-image:url(''javascript:window.alert(1)'') }</style>" ) IE will execute the javascript. Firefox will not. I haven''t tried it with any other browsers.

hi. Is there interest in enhancing the objc++ compiler to make objc mechanisms friendly to the newer features of c++? For instance... 1) making blocks movable so that they can capture things like unique_ptr<> and still be moved off the stack 2) making @property declarations work with move-only types like unique_ptr<> 3) enabling std::weak_ptr<> to weakly store an objc pointer

http://httpd.apache.org/security/vulnerabilities_20.html states that Apache 2.0.52 is 4 years old and the latest version is 2.0.68. i am no longer a httpd expert, but at least one of the security fixes involves XSS attacks via malformed ftp commands. I also realize that redhat / centos may patch things separately from Apache and that the sysadmin has a great deal to do with how secure things