Search Results

Search found 83184 results on 3328 pages for 'asp php net'.

Page 176/3328 | < Previous Page | 172 173 174 175 176 177 178 179 180 181 182 183  | Next Page >

• Testing php mail() in localhost problem.

  - by Samir Ghobril

  Hey guys, recently I just installed msmtp in linux and I even send a mail from the terminal and it worked: echo -e "Subject: Test Mail\r\n\r\nThis is a test mail" |msmtp --debug --from=default -t [email protected] But in php, after editing the php.ini file to have this: sendmail_path = '/usr/bin/msmtp -t' and using this piece of code: <?php if ( mail ( '[email protected]', 'Test mail from localhost', 'Working Fine.' ) ){ echo 'Mail sent'; } else{ echo 'Error. Please check error log.'; } ?> I get the Mail sent message but don't receive a message in my inbox. Not even in the spam folder. Anything wrong I'm doing?

  Read the article

• Installing php(suexec) for Apache

  - by John

  I've got Apache installed and running but how do i install and run PHP as fastcgi so it runs as its own user? here is my apache config: ./configure --prefix=/usr/local/apache2 --enable-rewrite=shared --enable-so --enable-suexec --disable-asis --disable-autoindex --enable-cache --enable-deflate --enable-disk-cache --enable-expires --enable-file-cache --enable-mem-cache --enable-ssl --enable-vhost-alias --with-mpm=prefork --with-port=8080 here is my php config: ./configure prefix=/usr/local/php --without-pear --enable-safe-mode --enable-magic-quotes --with-apxs2=/usr/local/apache2/bin/apxs --disable-cli --disable-cgi --enable-force-cgi-redirect --enable-fastcgi --with-mysql --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --with-freetype-dir=/usr/lib --enable-calendar --with-curl --enable-mbstring --with-mcrypt

  Read the article

• Trying to install PHP 5.2 on IIS/Win 2008 - Error 500

  - by Razor

  I have a fresh install of IIS 7 - I just added Web Platform Installer, and PHP 5.2 thru that. However, when trying to access to a simple test.php file (just has phpinfo() in it), I get the following list of errors: • IIS was not able to access the web.config file for the Web site or application. This can occur if the NTFS permissions are set incorrectly. • IIS was not able to process configuration for the Web site or application. • The authenticated user does not have permission to use this DLL. • The request is mapped to a managed handler but the .NET Extensibility Feature is not installed. The domain was created with dot net panel, but I don't think that has to do with this problem, unless maybe it uses a specific user? Maybe I need to add php thruough dot net panel? Any idea of what I'm doing wrong here?

  Read the article

• IIS 7.5 with PHP 5.3, displaying errors on page

  - by dreamlax

  I'm running Windows Server 2008 R2, with IIS 7.5 and PHP 5.3 (configured by FastCGI). In my php.ini I have: log_errors = On display_errors = Off error_log = syslog (also tried an actual file with appropriate permissions) Each time a page contains an error, it is never logged anywhere, but it is displayed on the page (unless I turn log_errors off). I'm guessing that the stderr from php-cgi.exe is being put on the page, instead of being logged where it is supposed to be. Is there a setting somewhere that allows me to log these errors properly?

  Read the article

• Wrong version of php used be IIS

  - by user1070125

  Long ago I installed php5.2 using a installer on IIS. Recently I installed PHP Manager and upgraded to php5.3 simly by unzipping the downloaded file and then used the "Register new php version" in PHP Manager. I did this for the global scope for all sites. This works OK. Once in a blue moon errors are written to the php5.2 errorlog even though that verion is not used anymore. The errors are typical 5.3 specfic functions that are not supported in 5.2. How can it be? Can I safely uninstall php5.2 using the uninstaller (i think it added some stuff to the env paths)?

  Read the article

• PHP session files have permissions of 000 - They're unusable

  - by vanced

  I kept having issues with a Document Management System I'm trying to install as, at the first step of the installation process, it would error with: Warning: Unknown: open(/tmp/sess_d39cac7f80834b2ee069d0c867ac169c, O_RDWR) failed: Permission denied (13) in Unknown on line 0 Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 I looked in /tmp and saw the sess_* files have the following permissions ---------- 1 vanced vanced 1240 Jan 20 08:48 sess_d39cac7f80834b2ee069d0c867ac169c All the session files look like this. So obviously, they're unusable by PHP and it's causing me lots of problems. How can I get PHP to set the correct permissions? I've tried changing the directory which php.ini uses to /tmp/phpsessions and the same thing occurs. The directories are a+rwx.

  Read the article

• Upgrading php, mysql, and apache

  - by Kevin

  I have been looking around and have not found a good answer to my question. I currently have php 5.3.3 installed via yum on my centos 6.3 server. I need to upgrade to php 5.10 or later. It is my understanding that you need to find the correct mysql and apache packages that fit with the php install. Can someone please point me in the direction of a an update guide? Btw I am not looking for "yum update httpd php5" this gets me the old 5.3.3 version. Thanks, Kevin.

  Read the article

• Setting the server to look for index.php file by default

  - by ????? ???????

  I am a web developer and I've requested our Sys-Admin to setup a server for my team that will be used as a development environment. The PHP is running as a CGI. When i try to open http://myaddress/ I receive 403 Forbidden. When I try to open http://myaddress/index.php everything is fine. How do I set the server to look for index.php file by default? P.S The sysadmin is not currently here, so he cannot do it for me.

  Read the article

• php returns junk characters at end of everything

  - by blindJesse

  php appears to be adding junk characters to the end of everything it returns on a friend's site. I'm not an admin on the server but I'd like to give an informed complaint to get this fixed. The site is http://daytoncodebreakers.org. You can see some junk at the end of every page on the site (what appear to be question marks with something else in the middle). I originally thought this was a wordpress issue, but check out http://daytoncodebreakers.org/whereisini.php (which is just a call to phpinfo), and http://daytoncodebreakers.org/hello.php (which is just 'Hello World'). I'm not sure if this is the most appropriate site, but I think this is a server config issue, so I'm posting it here (rather than stackoverflow or superuser). Feel free to move it if want.

  Read the article

• PHP session files have permissions of 000 - They're ununsable

  - by vanced

  I kept having issues with a Document Management System I'm trying to install as, at the first step of the installation process, it would error with: Warning: Unknown: open(/tmp/sess_d39cac7f80834b2ee069d0c867ac169c, O_RDWR) failed: Permission denied (13) in Unknown on line 0 Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 I looked in /tmp and saw the sess_* files have the following permissions ---------- 1 vanced vanced 1240 Jan 20 08:48 sess_d39cac7f80834b2ee069d0c867ac169c All the session files look like this. So obviously, they're unusable by PHP and it's causing me lots of problems. How can I get PHP to set the correct permissions? I've tried changing the directory which php.ini uses to /tmp/phpsessions and the same thing occurs. The directories are a+rwx.

  Read the article

• Simple Chat with php

  - by MatrixOnTheLine

  in chat.php $data = getCache($room); while(1){ if($data == false || empty($data[1]) ) sleep(10); else break; } in sendmemcache.php $value = $_GET['value']; setCache($room,array($username,$value)); However, in infinite loop $data's value never change. I send $value with manuel for sendmemcache.ophp. sendmemcache.php never finish its proces. (Always "Transferring data ....") How can i resolve this ?

  Read the article

• Upgrade PHP v5.3.3 to v5.3.4

  - by Ty01

  I currently have PHP v5.3.3 installed and configured. Everything is working perfectly, but I would like to keep PHP up to date and upgrade to v5.3.4. Can someone please describe the usual upgrade process for PHP when compiling manually? For example: is it just as easy as downloading the newest source, uncompressing it, compiling it using the same (or comparable) options that were used on the last version? Is there anything that has to be removed or changed from the previous version installed? I'm clueless. Please help!

  Read the article

• Linux, PHP, and mysqlnd?

  - by bob-the-destroyer

  Looks like most common distros build their PHP packages without mysqlnd, instead relying on the old libmysql library. Are there any distros that do include the new mysql native driver even as an option in any of their officially supported repositories? If not, is it possible (and if so, how) to rebuild these three (mysql, mysqli, & pdo_mysql) extensions without having to rebuild the entire PHP install? In my case, there are several PHP functions I need that are available only if these Mysql extenstions are built against mysqlnd. So I'd be fine installing a new OS to get these if the OS offers and supports it.

  Read the article

• Mass modify all php files on my server

  - by anslume

  I would like to delete a php code on all my php files on my debian server. indeed I would like to get rid of a line: eval(base64_decode("DQplcnJvcl9yZXBvcnR")); It's present in many of my phpfiles. That's why I would like to find a script which is going to look it up in all my php files and replace itwith nothing? Do you have any idea how i could do that ? I know how to do it on windows with some software (notepad++ is very useful) but no idea how can I do that in a command line through ssh Thanks for your answer, Ans

  Read the article

• Restarting Nagios Using PHP

  - by X-Ware

  I am making a tool that is interacting with NAGIOS where some config files should be added so a restart will be needed. What I need to know is how to restart NAGIOS using PHP code since this tool is written in PHP .. when I try to do this using: shell_exec("service nagios restart"); changes do not take place but when I do this manually by the console all changes I did using the PHP script are applied ... after 2 minutes research I found that I am asking linux to execut this command while I am logged in as apache user so I changed the command to: shell_exec('echo "mypass" | sudo -S service nagios restart'); still having the same problem ... new config files are not read until I restart manually any suggestions will be appreciated :)

  Read the article

• installing php from source

  - by samsunggalaxyss

  Hi, i have a centos5.5 server on which i want to host Magento. However i don't want to use a control panel but to do everything myself. The base repo on centos provides php 5.1.6 which is too old for the application to use. If i download and compile from source the newest php, will i also have to install the newest apache and mysql? I wan't all the pieces to work well together. I am new at linux but i know enough to install these things from latest source. But say i install the new apache 2.2.17 which has document root at /usr/local/apache2/htdocs/ how do i tell php where that is, if you understand what i mean? Thanks for your help.

  Read the article

• Upgrading Apache, PHP and MySQL

  - by Javacadabra

  I'm looking to upgrade my current version of Apache, PHP and mySQL. I remember when I installed them it was a very intricate and somewhat delicate process and I am sort of afraid to upgrade in case everything just stops working! Currently I am running Apache 2.2.21 and PHP 5.3.5. MySQL is 5.6.4 Does anyone have any ideas how you upgrade these things? I think the current versions are Apache 2.4.3, PHP 5.4.7 and MySQL 5.6. Thanks in advance!

  Read the article

• if isset PHP not working?

  - by Ellie

  Okay, Im trying to set a captcha up, However with this code in, it breaks. if(isset($_POST["captcha"])) if($_SESSION["captcha"]==$_POST["captcha"]) When i do it with out it, the page works, but the captcha is letting incorrect submits through. Parse error: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or T_NUM_STRING in /hermes/waloraweb085/b2027/moo.lutarinet/jointest.php on line 71 <?php $pagetitle = "Home"; $checkrank = 0; include ($_SERVER['DOCUMENT_ROOT'].'/header.inc.php'); ECHO <<<END <br><br> <b><center><i><u>DO NOT</u> USE YOUR NEOPETS PASSWORD OR PIN NUMBER!!!</b></i></center> <p> ?> <?php session_start() ?> <center><P><FORM ACTION="join.pro.php" enctype="multipart/form-data" METHOD=POST> <table width="393" height="188" border="0" cellpadding="0" cellspacing="0"> <td width="150">Username</td> <td width="243"><input type=text name="name" value="" size=32 maxlength=15></td> </tr> <tr> <td>Password</td> <td><input type=password name="pass1" VALUE="" maxlength=15></td> </tr> <tr> <td>Confirm Password</td> <td><input type=password name="pass2" VALUE="" size=32 maxlength=15></td> </tr> <tr> <td>Security Code (4 Diget Number)</td> <td><input type=password name="security" VALUE="" size=32 maxlength=4></td> </tr> <tr> <td>Email Address</td> <td><INPUT TYPE=text NAME="email" VALUE="" SIZE=32 maxlength=100></td> </tr> <tr> <td height="41" colspan="2" valign="middle"><p><p><center> By registering an account here you agree to all of our <A HREF="$baseurl/tos.php">Terms and Conditions</A>. You can also view our <A HREF="$baseurl/privacy.php">Privacy Policy</A>. </center></p></td> </tr> <tr><td align="center">CAPTCHA:<br> (antispam code, 3 black symbols)<br> <table><tr><td><img src="captcha.php" alt="captcha image"></td><td><input type="text" name="captcha" size="3" maxlength="3"></td></tr></table> </td></tr> <td height="27" colspan="2" valign="middle"> <center><input type=submit name=Submit value="Register"></center> </td> </table> </form> <?php if(isset($_POST["captcha"])) if($_SESSION["captcha"]==$_POST["captcha"]) { //CAPTHCA is valid; proceed the message: save to database, send by e-mail ... echo 'CAPTHCA is valid; proceed the message'; } else { echo 'CAPTHCA is not valid; ignore submission'; } ?> <?php END; include ($_SERVER['DOCUMENT_ROOT'].'/footer.inc.php'); ?> captcha.php <?php session_start(); header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); function _generateRandom($length=6) { $_rand_src = array( array(48,57) //digits , array(97,122) //lowercase chars // , array(65,90) //uppercase chars ); srand ((double) microtime() * 1000000); $random_string = ""; for($i=0;$i<$length;$i++){ $i1=rand(0,sizeof($_rand_src)-1); $random_string .= chr(rand($_rand_src[$i1][0],$_rand_src[$i1][1])); } return $random_string; } $im = @imagecreatefromjpeg("http://sketchedneo.com/images/sitedesigns/captcha.jpg"); $rand = _generateRandom(3); $_SESSION['captcha'] = $rand; ImageString($im, 5, 2, 2, $rand[0]." ".$rand[1]." ".$rand[2]." ", ImageColorAllocate ($im, 0, 0, 0)); $rand = _generateRandom(3); ImageString($im, 5, 2, 2, " ".$rand[0]." ".$rand[1]." ".$rand[2], ImageColorAllocate ($im, 255, 0, 0)); Header ('Content-type: image/jpeg'); imagejpeg($im,NULL,100); ImageDestroy($im); ?> Help please anyone? Line 71: if(isset($_POST["captcha"])) Line 72: if($_SESSION["captcha"]==$_POST["captcha"])

  Read the article

• How to pass multiple PHP variables to a jQuery function?

  - by jcpeden

  I'm working on a Wordpress plugin. I need to pass plugin directories (that can change depending on an individual's installation) to a jquery function. What is the best way of doing this? The version of the plugin that I can to work on had included all the javascript in the PHP file so the functions were parsed along with the rest of the content before being rendered in a browser. I'm looking at AJAX but I think it might be more complicated than I need. I can get away with just two variables in this case (directories, nothing set by the user). As I've read its good practice, I'm trying to keep the js and php separate. When the plugin initializes, it call the js file: //Wordpress calls the .js when the plugin loads wp_enqueue_script( 'wp-backitup-funtions', plugin_dir_url( __FILE__ ) . 'js/wp-backitup.js', array( 'jquery' ) ); Then I'm in the .js file and need to figure out how to generate the following variables: dir = '<?php echo content_url() ."/plugins"; ?>'; dir = '<?php echo content_url() ."/themes"; ?>'; dir = '<?php echo content_url() ."/uploads"; ?>'; And run the parse the following requests: xmlhttp.open("POST","<?php echo plugins_url() .'/wp-backitup/includes/wp-backitup-restore.php'); ?>",true); xmlhttp.open("POST","<?php echo plugins_url() .'/wp-backitup/includes/wp-backitup-start.php'); ?>",true); xmlhttp.open("POST","<?php echo plugins_url() .'/wp-backitup/wp-backitup-directory.php'); ?>",true); xmlhttp.open("POST","<?php echo plugins_url() .'/wp-backitup/wp-backitup-db.php'); ?>",true); window.location = "<?php echo plugins_url() .'/wp-backitup/backitup-project.zip'); ?>"; xmlhttp.open("POST","<?php echo plugins_url() .'/wp-backitup/wp-backitup-delete.php'); ?>",true); Content URL and Plugins URL differ only by /plugins/ so if I was hard pressed, I would only really need to make a single PHP request and then bring this into the JS.

  Read the article

• .NET HTML Sanitation for rich HTML Input

  - by Rick Strahl

  Recently I was working on updating a legacy application to MVC 4 that included free form text input. When I set up the new site my initial approach was to not allow any rich HTML input, only simple text formatting that would respect a few simple HTML commands for bold, lists etc. and automatically handles line break processing for new lines and paragraphs. This is typical for what I do with most multi-line text input in my apps and it works very well with very little development effort involved. Then the client sprung another note: Oh by the way we have a bunch of customers (real estate agents) who need to post complete HTML documents. Oh uh! There goes the simple theory. After some discussion and pleading on my part (<snicker>) to try and avoid this type of raw HTML input because of potential XSS issues, the client decided to go ahead and allow raw HTML input anyway. There has been lots of discussions on this subject on StackOverFlow (and here and here) but to after reading through some of the solutions I didn't really find anything that would work even closely for what I needed. Specifically we need to be able to allow just about any HTML markup, with the exception of script code. Remote CSS and Images need to be loaded, links need to work and so. While the 'legit' HTML posted by these agents is basic in nature it does span most of the full gamut of HTML (4). Most of the solutions XSS prevention/sanitizer solutions I found were way to aggressive and rendered the posted output unusable mostly because they tend to strip any externally loaded content. In short I needed a custom solution. I thought the best solution to this would be to use an HTML parser - in this case the Html Agility Pack - and then to run through all the HTML markup provided and remove any of the blacklisted tags and a number of attributes that are prone to JavaScript injection. There's much discussion on whether to use blacklists vs. whitelists in the discussions mentioned above, but I found that whitelists can make sense in simple scenarios where you might allow manual HTML input, but when you need to allow a larger array of HTML functionality a blacklist is probably easier to manage as the vast majority of elements and attributes could be allowed. Also white listing gets a bit more complex with HTML5 and the new proliferation of new HTML tags and most new tags generally don't affect XSS issues directly. Pure whitelisting based on elements and attributes also doesn't capture many edge cases (see some of the XSS cheat sheets listed below) so even with a white list, custom logic is still required to handle many of those edge cases. The Microsoft Web Protection Library (AntiXSS) My first thought was to check out the Microsoft AntiXSS library. Microsoft has an HTML Encoding and Sanitation library in the Microsoft Web Protection Library (formerly AntiXSS Library) on CodePlex, which provides stricter functions for whitelist encoding and sanitation. Initially I thought the Sanitation class and its static members would do the trick for me,but I found that this library is way too restrictive for my needs. Specifically the Sanitation class strips out images and links which rendered the full HTML from our real estate clients completely useless. I didn't spend much time with it, but apparently I'm not alone if feeling this library is not really useful without some way to configure operation. To give you an example of what didn't work for me with the library here's a small and simple HTML fragment that includes script, img and anchor tags. I would expect the script to be stripped and everything else to be left intact. Here's the original HTML:var value = "<b>Here</b> <script>alert('hello')</script> we go. Visit the " + "<a href='http://west-wind.com'>West Wind</a> site. " + "<img src='http://west-wind.com/images/new.gif' /> " ; and the code to sanitize it with the AntiXSS Sanitize class:@Html.Raw(Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(value)) This produced a not so useful sanitized string: Here we go. Visit the <a>West Wind</a> site. While it removed the <script> tag (good) it also removed the href from the link and the image tag altogether (bad). In some situations this might be useful, but for most tasks I doubt this is the desired behavior. While links can contain javascript: references and images can 'broadcast' information to a server, without configuration to tell the library what to restrict this becomes useless to me. I couldn't find any way to customize the white list, nor is there code available in this 'open source' library on CodePlex. Using Html Agility Pack for HTML Parsing The WPL library wasn't going to cut it. After doing a bit of research I decided the best approach for a custom solution would be to use an HTML parser and inspect the HTML fragment/document I'm trying to import. I've used the HTML Agility Pack before for a number of apps where I needed an HTML parser without requiring an instance of a full browser like the Internet Explorer Application object which is inadequate in Web apps. In case you haven't checked out the Html Agility Pack before, it's a powerful HTML parser library that you can use from your .NET code. It provides a simple, parsable HTML DOM model to full HTML documents or HTML fragments that let you walk through each of the elements in your document. If you've used the HTML or XML DOM in a browser before you'll feel right at home with the Agility Pack. Blacklist based HTML Parsing to strip XSS Code For my purposes of HTML sanitation, the process involved is to walk the HTML document one element at a time and then check each element and attribute against a blacklist. There's quite a bit of argument of what's better: A whitelist of allowed items or a blacklist of denied items. While whitelists tend to be more secure, they also require a lot more configuration. In the case of HTML5 a whitelist could be very extensive. For what I need, I only want to ensure that no JavaScript is executed, so a blacklist includes the obvious <script> tag plus any tag that allows loading of external content including <iframe>, <object>, <embed> and <link> etc. <form>  is also excluded to avoid posting content to a different location. I also disallow <head> and <meta> tags in particular for my case, since I'm only allowing posting of HTML fragments. There is also some internal logic to exclude some attributes or attributes that include references to JavaScript or CSS expressions. The default tag blacklist reflects my use case, but is customizable and can be added to. Here's my HtmlSanitizer implementation:using System.Collections.Generic; using System.IO; using System.Xml; using HtmlAgilityPack; namespace Westwind.Web.Utilities { public class HtmlSanitizer { public HashSet<string> BlackList = new HashSet<string>() { { "script" }, { "iframe" }, { "form" }, { "object" }, { "embed" }, { "link" }, { "head" }, { "meta" } }; /// <summary> /// Cleans up an HTML string and removes HTML tags in blacklist /// </summary> /// <param name="html"></param> /// <returns></returns> public static string SanitizeHtml(string html, params string[] blackList) { var sanitizer = new HtmlSanitizer(); if (blackList != null && blackList.Length > 0) { sanitizer.BlackList.Clear(); foreach (string item in blackList) sanitizer.BlackList.Add(item); } return sanitizer.Sanitize(html); } /// <summary> /// Cleans up an HTML string by removing elements /// on the blacklist and all elements that start /// with onXXX . /// </summary> /// <param name="html"></param> /// <returns></returns> public string Sanitize(string html) { var doc = new HtmlDocument(); doc.LoadHtml(html); SanitizeHtmlNode(doc.DocumentNode); //return doc.DocumentNode.WriteTo(); string output = null; // Use an XmlTextWriter to create self-closing tags using (StringWriter sw = new StringWriter()) { XmlWriter writer = new XmlTextWriter(sw); doc.DocumentNode.WriteTo(writer); output = sw.ToString(); // strip off XML doc header if (!string.IsNullOrEmpty(output)) { int at = output.IndexOf("?>"); output = output.Substring(at + 2); } writer.Close(); } doc = null; return output; } private void SanitizeHtmlNode(HtmlNode node) { if (node.NodeType == HtmlNodeType.Element) { // check for blacklist items and remove if (BlackList.Contains(node.Name)) { node.Remove(); return; } // remove CSS Expressions and embedded script links if (node.Name == "style") { if (string.IsNullOrEmpty(node.InnerText)) { if (node.InnerHtml.Contains("expression") || node.InnerHtml.Contains("javascript:")) node.ParentNode.RemoveChild(node); } } // remove script attributes if (node.HasAttributes) { for (int i = node.Attributes.Count - 1; i >= 0; i--) { HtmlAttribute currentAttribute = node.Attributes[i]; var attr = currentAttribute.Name.ToLower(); var val = currentAttribute.Value.ToLower(); span style="background: white; color: green">// remove event handlers if (attr.StartsWith("on")) node.Attributes.Remove(currentAttribute); // remove script links else if ( //(attr == "href" || attr== "src" || attr == "dynsrc" || attr == "lowsrc") && val != null && val.Contains("javascript:")) node.Attributes.Remove(currentAttribute); // Remove CSS Expressions else if (attr == "style" && val != null && val.Contains("expression") || val.Contains("javascript:") || val.Contains("vbscript:")) node.Attributes.Remove(currentAttribute); } } } // Look through child nodes recursively if (node.HasChildNodes) { for (int i = node.ChildNodes.Count - 1; i >= 0; i--) { SanitizeHtmlNode(node.ChildNodes[i]); } } } } } Please note: Use this as a starting point only for your own parsing and review the code for your specific use case! If your needs are less lenient than mine were you can you can make this much stricter by not allowing src and href attributes or CSS links if your HTML doesn't allow it. You can also check links for external URLs and disallow those - lots of options.  The code is simple enough to make it easy to extend to fit your use cases more specifically. It's also quite easy to make this code work using a WhiteList approach if you want to go that route. The code above is semi-generic for allowing full featured HTML fragments that only disallow script related content. The Sanitize method walks through each node of the document and then recursively drills into all of its children until the entire document has been traversed. Note that the code here uses an XmlTextWriter to write output - this is done to preserve XHTML style self-closing tags which are otherwise left as non-self-closing tags. The sanitizer code scans for blacklist elements and removes those elements not allowed. Note that the blacklist is configurable either in the instance class as a property or in the static method via the string parameter list. Additionally the code goes through each element's attributes and looks for a host of rules gleaned from some of the XSS cheat sheets listed at the end of the post. Clearly there are a lot more XSS vulnerabilities, but a lot of them apply to ancient browsers (IE6 and versions of Netscape) - many of these glaring holes (like CSS expressions - WTF IE?) have been removed in modern browsers. What a Pain To be honest this is NOT a piece of code that I wanted to write. I think building anything related to XSS is better left to people who have far more knowledge of the topic than I do. Unfortunately, I was unable to find a tool that worked even closely for me, or even provided a working base. For the project I was working on I had no choice and I'm sharing the code here merely as a base line to start with and potentially expand on for specific needs. It's sad that Microsoft Web Protection Library is currently such a train wreck - this is really something that should come from Microsoft as the systems vendor or possibly a third party that provides security tools. Luckily for my application we are dealing with a authenticated and validated users so the user base is fairly well known, and relatively small - this is not a wide open Internet application that's directly public facing. As I mentioned earlier in the post, if I had my way I would simply not allow this type of raw HTML input in the first place, and instead rely on a more controlled HTML input mechanism like MarkDown or even a good HTML Edit control that can provide some limits on what types of input are allowed. Alas in this case I was overridden and we had to go forward and allow *any* raw HTML posted. Sometimes I really feel sad that it's come this far - how many good applications and tools have been thwarted by fear of XSS (or worse) attacks? So many things that could be done *if* we had a more secure browser experience and didn't have to deal with every little script twerp trying to hack into Web pages and obscure browser bugs. So much time wasted building secure apps, so much time wasted by others trying to hack apps… We're a funny species - no other species manages to waste as much time, effort and resources as we humans do :-) Resources Code on GitHub Html Agility Pack XSS Cheat Sheet XSS Prevention Cheat Sheet Microsoft Web Protection Library (AntiXss) StackOverflow Links: http://stackoverflow.com/questions/341872/html-sanitizer-for-net http://blog.stackoverflow.com/2008/06/safe-html-and-xss/ http://code.google.com/p/subsonicforums/source/browse/trunk/SubSonic.Forums.Data/HtmlScrubber.cs?r=61© Rick Strahl, West Wind Technologies, 2005-2012Posted in Security  HTML  ASP.NET  JavaScript   Tweet !function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs"); (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = 'https://apis.google.com/js/plusone.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })();

  Read the article

• Visual Studio 2010 Guatemala Community Launch

  - by carlone

    Bien Amig@s, el momento tan esperado ha llegado. Para dar nuevamente empuje a la Comunidad de Desarrolladores de .NET de Guatemala, hemos logrado confirmar el evento apoyados por Microsoft Guatemala. Este será un evento de 3 días en donde tendremos la oportunidad de visualizar todas las nuevas características, mejoras, tecnologías y herramientas disponibles en Visual Studio 2010. Cuando: Las sesiones se llevarán a cabo los días 23,24 y 25 de Junio del 2010 Donde: En las oficinas de Microsoft Guatemala 3a Avenida 13-78 Zona 10 Torre City Bank Off. 1101 Guatemala City Guatemala Costo: $0, si NADA, solo tu entusiasmo, participación y apoyo para el evento.   Temas: Silverlight/WPF 4.0 Development Session              23 de Junio Office Sharepoint Development Session                 24 de Junio ASP.NET and Web Development Session                25 de Junio   Give Aways: Si…., habrán sorpresas para los asistentes, así como también podremos compartir una pizza, alitas de pollo y más ….   Como me Inscribo para participar:   Muy simple, visita la siguiente página http://vs2010gt.eventbrite.com/ y listo.   Riega la Bola!, invita a tu colega, a tu amigo geek, la mara de la U, a los de la Office, es una única oportunidad que no te puedes perder. Esperamos contar con tu participación !!!!!!!!!!!!!!!   Saludos Cordiales, Carlos A. Lone sigueme en Twitter: @carloslonegt

  Read the article

• There are 2 jobs available - which one sounds better all round [closed]

  - by Steve Gates

  I am currently employed at a company where we scrape by each year breaking even, sometimes having a little profit. The development environment is very relaxed and we have a laugh. My colleagues are not interested in improving their knowledge unless they have to, so trying to get them to adopt things like TDD is a non-starter. My development manager is stuck in .Net 2 land and refuses to use things like LINQ. He over complicates architecture and writes very unreadable code, heres an example SortedList<int,<SortedList<int,SortedList<int, MyClass>>>> The MD of the company has no drive and lets the one sales guy bring in the contracts. We are not busy all the time and this allows me time to look at new technology and learn. In terms of using things like TDD, my development manager has no problem with it and can kind of see the purpose of it, he just wont use it himself. This means I am alone in learning new things and am often resorting to StackOverflow to make sure I get things right. The company has a lot of flexibility, I can work from home if needs be and when my daughter was born they let me work from home 1 day a week however they expect this flexibility in return often asking me to travel occasionally on a Friday afternoon for the following week. Sometimes its abroad. We are also pretty much on call 24/5 as we have engineers in various countries. Also we have no testers so most of the testing is done by us developers and some testing by engineers. Either way no-one likes testing! I have been offered a role at a company I worked at 5 years ago. They were quite Victorian in their working practices but it appears to have relaxed now although I suspect still reasonably formal. There is a new team of developers I don't know and they are about to move to new offices. The team lead is a guy that was there when I was and I get the impression he takes his role seriously and likes his formal procedures and documentation. I think some of the Victorian practices may have rubbed off on him. However he did say if things crop up then as long as I can trust the person they can work at home although he prefers people in the office. The team uses SCRUM, TDD and SOLID design principles so they are quite up to date in technology. They are reasonably Microsoft focused. It appears the Technical Director might be the R&D man and research new technology on his own not allowing developers to play with new technology. He possibly might be a super developer and makes all the decisions that no can argue with. They are currently moving to Entity Framework away from NHibernate based on issues that their queries seem to fail sometimes and they feel NHibernate is stagnant. They have analysts and a QA team. The MD is focused and they are an expanding company making profit each year. I'm not sure what the team morale is and whether they have a laugh. When I had a tour around the office they were there in dead silence. I'm really unsure which role is the best for me and going with my gut instinct is useless as I'm not sure what my gut is telling me. Based on the information above which role would you choose and why?

  Read the article

• PHP, javascript, single quote problems with IE when passing variable from ajax post to javascript fu

  - by Mattis

  Hi! I have been trying to get this to work for a while, and I suspect there's an easy solution that I just can't find. My head feels like jelly and I would really appreciate any help. My main page.php makes a .post() to backend.php and fetches a list of cities which it echoes in the form of: <li onclick="script('$data');">$data</li> The list is fetched and put onto the page via .html(). My problem occurs when $data has a single quote in it. backend.php passes the variable just fine to page.php but when i run html() it throws a javascript error (in IE, not FF obviously); ')' is expected IE parses the single quote and messes up the script()-call. I've been trying to rebuild the echoed string in different ways, escaping the 's on the php side and/or on the javascript side - but in vain. Do I have to review the script in total? page.php $.post("backend.php", {q: ""+str+""}, function(data) { if(data.length >0) { $('#results').html(data); } backend.php while ($row = $q->fetch()) { $city = $row['City']; // $city = addslashes($row['City']); // $city = str_replace("'","&#39;",$row['City']); echo "<li onclick=\"script('$city');\">".$city."</li>"; }

  Read the article

• Xdebug configuration with PHP fastcgi and eclipse?

  - by mac

  I have been using eclipse-pdt in conjunction with xdebug and apache without problems, for over one year. Things worked flawlessly and I could do all the interactive debugging I wanted from within eclipse (using my own machine as a server). Now I switched from apache to nginx (and therefore PHP runs now not as an Apache service but as fast-cgi) and I can't find a way to configure eclipse to work nicely with xdebug. I am neither sure if the problem is with xdebug or with eclipse (or both) to be sure. In the eclipse configuration I already changed the reference to the PHP configuration file to /etc/php5/cli/php.ini. Attempts with php.ini version 1 With the following php.ini file zend_extension=/usr/lib/php5/20060613/xdebug.so I see that xdebug is working (for example if I do a var_dump() I get the xdebug version of it, not the plain PHP one) I can't have the interactive debugging from eclipse: the browser opens up and loads the page completely with the typical URL containing ...?XDEBUG_SESSION_START=ECLIPSE_DBGP&KEY=..., but the program execution does not stop at breakpoints In the bottom-right corner of eclipse I see a suspicious message: *"Launching =put_the_name_of_my_project_here=: 57%"* that alternates with the "refreshing workspace" one. Attempts with php.ini version 2 If I use this other version of the file (which is what it worked until I switched to nginx): zend_extension=/usr/lib/php5/20060613/xdebug.so xdebug.remote_enable=On xdebug.remote_autostart=On xdebug.remote_handler=dbgp xdebug.remote_host=localhost xdebug.remote_port=9000 xdebug.remote_mode=req I can't access any page of my sites at all. Any help or suggestion appreciated, thank you in advance for your time! PS: Additional data on my machine: - OS: GNU/Linux - Ubuntu 9.10 64 bit. - PHP: 5.2.10-2ubuntu6.3 with Suhosin-Patch 0.9.7; Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies with Xdebug v2.0.4 - Eclipse: see screenshot.

  Read the article

• In Asp.Net MVC 2 is there a better way to return 401 status codes without getting an auth redirect

  - by Greg Roberts

  I have a portion of my site that has a lightweight xml/json REST API. Most of my site is behind forms auth but only some of my API actions require authentication. I have a custom AuthorizeAttribute for my API that I use to check for certain permissions and when it fails it results in a 401. All is good, except since I'm using forms auth, Asp.net conveniently converts that into a 302 redirect to my login page. I've seen some previous questions that seem a bit hackish to either return a 403 instead or to put some logic in the global.asax protected void Application_EndRequest() that will essentially convert 302 to 401 where it meets whatever criteria. Previous Question Previous Question 2 What I'm doing now is sort of like one of the questions, but instead of checking the Application_EndRequest() for a 302 I make my authorize attribute return 666 which indicates to me that I need to set this to a 401. Here is my code: protected void Application_EndRequest() { if (Context.Response.StatusCode == MyAuthAttribute.AUTHORIZATION_FAILED_STATUS) { //check for 666 - status code of hidden 401 Context.Response.StatusCode = 401; } } Even though this works, my question is there something in Asp.net MVC 2 that would prevent me from having to do this? Or, in general is there a better way? I would think this would come up a lot for anyone doing REST api's or just people that do ajax requests in their controllers. The last thing you want is to do a request and get the content of a login page instead of json.

  Read the article

< Previous Page | 172 173 174 175 176 177 178 179 180 181 182 183  | Next Page >