As the answers on how XSS can be malicious are already given, I’ll only answer the following question left unanswered: how can i prevent XSS from happening on my websites ? As to preventing from XSS, you need to HTML-escape any user-controlled input when they’re about to be redisplayed on the page. This includes request … Read more
For PHP’s own session cookies on Apache: add this to your Apache configuration or .htaccess <IfModule php5_module> php_flag session.cookie_httponly on </IfModule> This can also be set within a script, as long as it is called before session_start(). ini_set( ‘session.cookie_httponly’, 1 );
Will some.js be able to use XMLHttpRequest to post data to abc.com? In other words, is abc.com implicitly trusted because we loaded Javascript from there? No, because the script is loaded on to a seperate domain it will not have access… If you trust the data source then maybe JSONP would be the better option. … Read more
There’s a few ways: Use the <%: %> syntax in ASP.NET MVC2 / .NET 4.0. (Which is just syntactic sugar for Html.Encode()) Follow the directions laid out by Phil Haack where it details using the Anti-XSS library as the ‘default’ encoding engine for ASP.NET.
xss_clean() is extensive, and also silly. 90% of this function does nothing to prevent XSS. Such as looking for the word alert but not document.cookie. No hacker is going to use alert in their exploit, they are going to hijack the cookie with XSS or read a CSRF token to make an XHR. However running … Read more
ReactJS is quite safe by design since String variables in views are escaped automatically With JSX you pass a function as the event handler, rather than a string that can contain malicious code so a typical attack like this will not work const username = “<img onerror=”alert(\”Hacked!\”)” src=”https://stackoverflow.com/questions/33644499/invalid-image” />”; class UserProfilePage extends React.Component { render() … Read more
maybe JSONP can help. NB youll have to change your messages to use json instead of xml Edit Major sites such as flickr and twitter support jsonp with callbacks etc
Here is an example that works on Chrome 5.0.375.125. The page B (iframe content): <html> <head></head> <body> <script> top.postMessage(‘hello’, ‘A’); </script> </body> </html> Note the use of top.postMessage or parent.postMessage not window.postMessage here The page A: <html> <head></head> <body> <iframe src=”B”></iframe> <script> window.addEventListener( “message”, function (e) { if(e.origin !== ‘B’){ return; } alert(e.data); }, false); … Read more
Why are Ajax HTTP Requests not allowed to cross domain boundaries. Because AJAX requests are (a) submitted with user credentials, and (b) allow the caller to read the returned data. It is a combination of these factors that can result in a vulnerability. There are proposals to add a form of cross-domain AJAX that omits … Read more
You have to wrap the entire url statement in the bypassSecurityTrustStyle: <div class=”header” *ngIf=”image” [style.background-image]=”image”></div> And have this.image = this.sanitization.bypassSecurityTrustStyle(`url(${element.image})`); Otherwise it is not seen as a valid style property