Search Results

Search found 128 results on 6 pages for 'sanitize'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 2/6 | < Previous Page | 1 2 3 4 5 6  | Next Page >

  • How to sanitize log messages in Log4j to save them in database

    - by Rafael
    Hello, I'm trying to save log messages to a central database. In order to do this, I configured the following Appender in log4j's xml configuration: <appender name="DB" class="org.apache.log4j.jdbc.JDBCAppender"> <param name="URL" value="jdbc:postgresql://localhost/logging_test" /> <param name="user" value="test_user" /> <param name="password" value="test_password" /> <param name="sql" value="INSERT INTO log_messages ( log_level, message, log_date ) VALUES ( '%p', '%m', '%d{yyyy-MM-dd HH:mm:ss}' )" /> </appender> This works fine, except some of the messages contain ', and then the appender fails. Is there an easy way to do this?

    Read the article

  • Sanitize file_get_contents

    - by Luis
    I want to use file_get_contents to implement a proxy so I can do ajax cross domain requests. Querystring will be used to supply the URL to file_get_contents. Now the problem is people can muck around with the qurystring in order to read local files on the server. I dont wnat this. Can someone get me a function to sinitize the querystring in order only to accept urls and not local files: ie: ?url=http://google.com.au - OK ?url=./passwords.txt - Not OK

    Read the article

  • Sanitize input before executing at server in php

    - by Interfaith
    I want to let user input two variable, Name and Password in a form. I want to disable any XSS or script insert in the input values. I have the following code in the form method: <form name="form1" method="post" action="checkpw.php"> Your Name: <table> <tr><td><input class="text" name="name" onBlur="capitalize(this);" maxlength=12 type="text" /></td></tr> </table> Password: <table> <tr><td><input class="text" name="passwd" maxlength=8 type="password" /></td></tr> <tr><td align="center"><br/> <input class="text" type="submit" name="submitbt" value="Login" /> </td></tr> </table> and the following checkpw.php: <?php // Clean up the input values $post = filter_input_array(INPUT_POST, array( 'name' => FILTER_SANITIZE_STRING, 'pw' => FILTER_SANITIZE_STRING, )); if (is_null($post) || in_array(null, $post)) { header("location:login.php"); return; // missing fields (or failed filter) } // pw is the password sent from the form $pw=$_POST['passwd']; $name=$_POST['name']; if($pw == 'testpass'){ header("location:index.php"); } else { header("location:wrong.php"); } ?> Is this a secure way to ensure the form is sent to the server and executed ONLY after the input values have been sanitized? Also, the $name value i want to pass it to index.php file. I insert a code in the index.php as follow: <?php echo $name ?> But it's empty. Any idea how to resolve it?

    Read the article

  • Ruby on Rails: How best to escape a string in a model?

    - by williamjones
    I want my application to sanitize html on input rather than on display, so that the fields saved into the database are sanitized. I've been doing this with strip_tags, and it was working great. However, this has the downside that it means the user can't input anything that's bracketed with < and . How can I tell Rails in the model to securely escape tags before saving them to the database? I'd like to not have to call h on the sanitized fields again before using them in the views.

    Read the article

  • jQuery sanitizing comments and linkifying URLs

    - by iWasRobbed
    In terms of jQuery (or Javascript), what happens behind the scenes when a person posts a comment on Facebook, Twitter, or a blog? For instance, do they sanitize the text first, and then pattern match URL's into an actual link? Are there other items of concern that the client-side should check in addition to doing some checks on the backend? I have found a few regex's for turning URL's into links, but I'm not sure if there are better solutions. I'm trying to wrap my head around the problem, but I'm having a difficult time knowing where to start. Any guidance you can provide is greatly appreciated!

    Read the article

  • Reporting sanitized user input to the user via AJAX

    - by JimBo
    I am writing some code to give live feedback to the user on the validation of a form using AJAX. I have got it checking length and if the field is empty. Now I want it to sanitize the users input and if the sanatized input differs from the users original input then tell them which characters are not allowed. The code I have written so far works except some characters most notably a '£' symbol result in no response. I think it relates to json_encode and its encoding. Here is the code: $user_input = 'asdfsfs£'; $strip_array = str_split(strip($user_input)); $orig_array = str_split($user_input); $diff_array = array_diff($orig_array,$strip_array); $diff_str = implode(', ',$diff_array); $final = json_encode($diff_str); function strip($input){return htmlentities(strip_tags($input),ENT_QUOTES);} Hope someone can figure out a solution.

    Read the article

  • I need to embed vimeo or some other html in my rails app

    - by sethg
    Can someone point me in a direction so that I can use embed code in Rails? Sometimes I need to embed a slideshow pro file and sometimes I need to embed a youtube file and sometimes a vimeo file in the same area for different entries, it would be easiest to use embed code but it keeps stripping the embed code. Do use a santize plugin? Can someone point me to a tutorial or give me some help to get me started? thx

    Read the article

  • sanitation script in php for login credentials...

    - by Matt
    What I am looking for currently is a simple, basic, login credentials sanitation script. I understand that I make a function to do so and I have one...but all it does right now is strip tags... am I doomed to use replace? or is there a way i can just remove all special characters and spaces and limit it to only letters and numbers...then as for the password limit it to only letters and numbers exclimation points, periods, and other special chars that cannot affect my SQL query. Please help :/ Thanks, Matt

    Read the article

  • Sanitizing DB inputs with XSLT

    - by azathoth
    Hello I've been looking for a method to strip my XML content of apostrophes (') like: <name> Jim O'Connor</name> since my DBMS is complaining of receiving those. By looking at the example described here, that is supposed to replace ' with '', I constructed the following script: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output omit-xml-declaration="yes" indent="yes" /> <xsl:template match="node()|@*"> <xsl:copy> <xsl:apply-templates select="node()|@*" /> </xsl:copy> </xsl:template> <xsl:template name="sqlApostrophe"> <xsl:param name="string" /> <xsl:variable name="apostrophe">'</xsl:variable> <xsl:choose> <xsl:when test="contains($string,$apostrophe)"> <xsl:value-of select="concat(substring-before($string,$apostrophe), $apostrophe,$apostrophe)" disable-output-escaping="yes" /> <xsl:call-template name="sqlApostrophe"> <xsl:with-param name="string" select="substring-after($string,$apostrophe)" /> </xsl:call-template> </xsl:when> <xsl:otherwise> <xsl:value-of select="$string" disable-output-escaping="yes" /> </xsl:otherwise> </xsl:choose> </xsl:template> <xsl:template match="node()|@*"> <xsl:apply-templates name="sqlApostrophe"/> </xsl:template> </xsl:stylesheet> However, the processor isn't accepting it. What am I missing here? Is there a better way to get rid of the apostrophes? Perhaps another approach for sanitizing DB inputs by using XSLT? Thanks for your help

    Read the article

  • Symfony: Pre filtering submitted values before/after validation

    - by Rob
    Hi All I've been scouring the net and i have found nothing! I am using symfonys form framework to build a simple 'Create' form. Validation is fine. However i'd like to pre-filter my submitted values, so adding ucfirst, strtoupper, and the like. I'm not sure if im missing something crucial here, but the way i see it is the only way to do this would be to create my own custom validators and utilizing the doClean method, which seems daft since i'd have hundreds of validators for each php function! Hope you guys can help, i've been crawling through source code, api's, numerous books and blogs and i haven't found a thing :( Either it's impossible, or it's really easy, i hope its the latter!

    Read the article

  • Do I need to sanitize the callback parameter from a JSONP call?

    - by christian studer
    I would like to offer a webservice via JSONP and was wondering, if I need to sanitize the value from the callback parameter. My current server side script looks like this currently (More or less. Code is in PHP, but could be anything really.): header("Content-type: application/javascript"); echo $_GET['callback'] . '(' . json_encode($data) . ')'; This is a classic XSS-vulnerability. If I need to sanitize it, then how? I was unable to find enough information about what might be allowed callback strings.

    Read the article

  • option page form in my wordpress theme [migrated]

    - by Templategraphy
    here its is my option page code containing no of fields like logo, slider after filling all the information in option page form i want to things After submitting all the form details save information must retain there. Using get_option() extract each input tag value and show that value in front hand like slider image, slider heading, slider description OPTION PAGE CODE: <?php class MySettingsPage { private $options; public function __construct() { add_action( 'admin_menu', array( $this, 'bguru_register_options_page' ) ); add_action( 'admin_init', array( $this, 'bguru_register_settings' ) ); } public function bguru_register_options_page() { // This page will be under "Settings" add_theme_page('Business Guru Options', 'Theme Customizer', 'edit_theme_options', 'bguru-options', array( $this, 'bguru_options_page') ); } public function bguru_options_page() { // Set class property $this->options = get_option( 'bguru_logo' ); $this->options = get_option( 'bguru_vimeo' ); $this->options = get_option( 'bguru_slide_one_image' ); $this->options = get_option( 'bguru_slide_one_heading' ); $this->options = get_option( 'bguru_slide_one_text' ); $this->options = get_option( 'bguru_slogan_heading' ); $this->options = get_option( 'bguru_slogan_description' ); ?> <div class="wrap"> <?php screen_icon(); ?> <h1>Business Guru Options</h1> <form method="post" action="options.php"> <table class="form-table"> <?php // This prints out all hidden setting fields settings_fields( 'defaultbg' ); do_settings_sections( 'defaultbg' ); submit_button(); ?> </table> </form> </div> <?php } /** * Register and add settings */ public function bguru_register_settings() { register_setting('defaultbg','bguru_logo', array( $this, 'sanitize' ) ); register_setting('defaultbg', 'bguru_vimeo', array( $this, 'sanitize' )); register_setting('defaultbg', 'bguru_slide_one_image', array( $this, 'sanitize' )); register_setting('defaultbg', 'bguru_slide_one_heading', array( $this, 'sanitize' )); register_setting('defaultbg', 'bguru_slide_one_text', array( $this, 'sanitize' )); register_setting('defaultbg', 'bguru_slogan_heading', array( $this, 'sanitize' )); register_setting('defaultbg', 'bguru_slogan_description', array( $this, 'sanitize' )); add_settings_section( 'setting_section_id', // ID '<h2>General</h2>', array( $this, 'print_section_info' ), // Callback 'defaultbg' // Page ); add_settings_field( 'bguru_logo', // ID '<label for="bguru_logo">Logo</label>', // Title array($this,'logo_callback' ), // Callback 'defaultbg', // Page 'setting_section_id'// Section ); add_settings_field( 'bguru_vimeo', // ID 'Vimeo', // Vimeo array( $this, 'socialv_callback' ), // Callback 'defaultbg', // Page 'setting_section_id' // Section ); add_settings_field( 'bguru_slide_one_image', // ID 'Slide 1 Image', // Slide 1 Image array( $this, 'slider1img_callback' ), // Callback 'defaultbg', // Page 'setting_section_id' // Section ); add_settings_field( 'bguru_slide_one_heading', // ID 'Slide 1 Heading', // Slide 1 Heading array( $this, 'slider1head_callback' ), // Callback 'defaultbg', // Page 'setting_section_id' // Section ); add_settings_field( 'bguru_slide_one_text', // ID 'Slide 1 Description', // Slide 1 Description array( $this, 'slider1text_callback' ), // Callback 'defaultbg', // Page 'setting_section_id' // Section ); add_settings_field( 'bguru_slogan_heading', // ID 'Slogan Heading', // Slogan Heading array( $this, 'slogan_head_callback' ), // Callback 'defaultbg', // Page 'setting_section_id' // Section ); add_settings_field( 'bguru_slogan_description', // ID 'Slogan Container', // Slogan Container array( $this, 'slogan_descr_callback' ), // Callback 'defaultbg', // Page 'setting_section_id' // Section ); } public function sanitize( $input ) { $new_input = array(); if( isset( $input['bguru_logo'] ) ) $new_input['bguru_logo'] = sanitize_text_field( $input['bguru_logo'] ); if( isset( $input['bguru_vimeo'] ) ) $new_input['bguru_vimeo'] = sanitize_text_field( $input['bguru_vimeo'] ); if( isset( $input['bguru_slide_one_image'] ) ) $new_input['bguru_slide_one_image'] = sanitize_text_field( $input['bguru_slide_one_image'] ); if( isset( $input['bguru_slide_one_heading'] ) ) $new_input['bguru_slide_one_heading'] = sanitize_text_field( $input['bguru_slide_one_heading'] ); if( isset( $input['bguru_slide_one_text'] ) ) $new_input['bguru_slide_one_text'] = sanitize_text_field( $input['bguru_slide_one_text'] ); if( isset( $input['bguru_slogan_heading'] ) ) $new_input['bguru_slogan_heading'] = sanitize_text_field( $input['bguru_slogan_heading'] ); if( isset( $input['bguru_slogan_description'] ) ) $new_input['bguru_slogan_description'] = sanitize_text_field( $input['bguru_slogan_description'] ); return $new_input; } public function print_section_info() { print 'Enter your settings below:'; } public function logo_callback() { printf( '<input type="text" id="bguru_logo" size="50" name="bguru_logo" value="%s" />', isset( $this->options['bguru_logo'] ) ? esc_attr( $this->options['bguru_logo']) : '' ); } public function socialv_callback() { printf( '<input type="text" id="bguru_vimeo" size="50" name="bguru_vimeo" value="%s" />', isset( $this->options['bguru_vimeo'] ) ? esc_attr( $this->options['bguru_vimeo']) : '' ); } public function slider1img_callback() { printf( '<input type="text" id="bguru_slide_one_image" size="50" name="bguru_slide_one_image" value="%s" />', isset( $this->options['bguru_slide_one_image'] ) ? esc_attr( $this->options['bguru_slide_one_image']) : '' ); } public function slider1head_callback() { printf( '<input type="text" id="bguru_slide_one_heading" size="50" name="bguru_slide_one_heading" value="%s" />', isset( $this->options['bguru_slide_one_heading'] ) ? esc_attr( $this->options['bguru_slide_one_heading']) : '' ); } public function slider1text_callback() { printf( '<input type="text" id="bguru_slide_one_text" size="50" name="bguru_slide_one_text" value="%s" />', isset( $this->options['bguru_slide_one_text'] ) ? esc_attr( $this->options['bguru_slide_one_text']) : '' ); } public function slogan_head_callback() { printf( '<input type="text" id="bguru_slogan_heading" size="50" name="bguru_slogan_heading" value="%s" />', isset( $this->options['bguru_slogan_heading'] ) ? esc_attr( $this->options['bguru_slogan_heading']) : '' ); } public function slogan_descr_callback() { printf( '<input type="text" id="bguru_slogan_description" size="50" name="bguru_slogan_description" value="%s" />', isset( $this->options['bguru_slogan_description'] ) ? esc_attr( $this->options['bguru_slogan_description']) : '' ); } } if( is_admin() ) $my_settings_page = new MySettingsPage(); here its my header.php code where i display all the information of option form $bguru_logo_image = get_option('bguru_logo'); if (!empty($bguru_logo_image)) { echo '<div id="logo"><a href="' . home_url() . '"><img src="' . $bguru_logo_image . '" width="218" alt="logo" /></a></div><!--/ #logo-->'; } else { echo '<div id="logo"><a href="' . home_url() . '"><h1>'. get_bloginfo('name') . '</h1></a></div><!--/ #logo-->'; }?> $bguru_social_vimeo = get_option('bguru_vimeo'); if (!empty($bguru_social_vimeo)) { echo '<li class="vimeo"><a target="_blank" href="'.$bguru_social_vimeo.'">Vimeo</a></li>'; }?> same as for slider image, slider heading, slider description please suggest some solutions

    Read the article

  • Sanitize HTML before storing in the DB or before rendering? (AntiXSS library in ASP.NET)

    - by user102533
    I have an editor that lets users add HTML that is stored in the database and rendered on a web page. Since this is untrusted input, I plan to use Microsoft.Security.Application.AntiXsSS.GetSafeHtmlFragment to sanitize the HTML. Should I santiize before saving to the database or before rendering the untrusted input into the webpage? Is there an advantage in including the AntiXSS source code in my project instead of just the DLL? (Maybe I can customize the white list?) Which class file should I look in for actual implementation of the GetSafeHtmlFragment

    Read the article

  • What actions should I not rely on the packaged functionality of my language for?

    - by David Peterman
    While talking with one of my coworkers, he was talking about the issues the language we used had with encryption/decryption and said that a developer should always salt their own hashes. Another example I can think of is the mysql_real_escape_string in PHP that programmers use to sanitize input data. I've heard many times that a developer should sanitize the data themselves. My question is what things should a developer always do on their own, for whatever reason, and not rely on the standard libraries packaged with a language for it?

    Read the article

  • Sanitizing User Input with Ruby on Rails

    - by phreakre
    I'm writing a very simple CRUD app that takes user stories and stores them into a database so another fellow coder can organize them for a project we're both working on. However, I have come across a problem with sanitizing user input before it is saved into the database. I cannot call the sanitize() function from within the Story model to strip out all of the html/scripting. It requires me to do the following: def sanitize_inputs self.name = ActionController::Base.helpers.sanitize(self.name) unless self.name.nil? self.story = ActionController::Base.helpers.sanitize(self.story) unless self.story.nil? end I want to validate that the user input has been sanitized and I am unsure of two things: 1) When should the user input validation take place? Before the data is saved is pretty obvious, I think, however, should I be processing this stuff in the Controller, before validation, or some other non-obvious area before I validate that the user input has no scripting/html tags? 2) Writing a unit test for this model, how would I verify that the scripting/html is removed besides comparing "This is a malicious code example" to the sanitize(example) output? Thanks in advance.

    Read the article

  • wmd editor sanitizing

    - by Ke
    hi, i am trying to find ways to sanitize the input of wmd editor Specifically, I am trying to make HTML tags only available in the <code>tags that wmd generates. Is that possible My problem is that the following code is rendered as html which is vunerable to potential xss attacks e.g. <a onmouseover="alert(1)" href="#">read this!</a> The above code renders normally both in preview mode and when saved to the db. I notice that SO doesnt seem to have this problem. The same code is just rendered as text. I notice that SO has shared their code here http://refactormycode.com/codes/333-sanitize-html Do I really have to use c# in order to sanitize wmd to do this? Any help appreciated , cheers Ke

    Read the article

  • Javascript how many characters replaced in a regex?

    - by macca1
    I am sanitizing an input field and manually getting and setting the caret position in the process. With some abstraction, here's the basic idea: <input type="text" onkeyup"check(this)"> And javascript... function check(element) { var charPosition = getCaretPosition(element); $(element).val( sanitize( $(element).val() ) ); setCaretPosition(element, charPosition); } function sanitize(s) { return s.replace(/[^a-zA-Z0-9\s]/g, ''); } This is working fine except when a character does actually get sanitized, my caret position is off by one. Basically I'd like a way to see if the sanitize function has actually replaced a character (and at what index) so then I can adjust the charPosition if necessary. Any ideas?

    Read the article

  • How do you replace many characters in a regex?

    - by macca1
    I am sanitizing an input field and manually getting and setting the caret position in the process. With some abstraction, here's the basic idea: <input type="text" onkeyup"check(this)"> And javascript... function check(element) { var charPosition = getCaretPosition(element); $(element).val( sanitize( $(element).val() ) ); setCaretPosition(element, charPosition); } function sanitize(s) { return s.replace(/[^a-zA-Z0-9\s]/g, ''); } This is working fine except when a character does actually get sanitized, my caret position is off by one. Basically I'd like a way to see if the sanitize function has actually replaced a character (and at what index) so then I can adjust the charPosition if necessary. Any ideas?

    Read the article

  • .NET HTML Sanitation for rich HTML Input

    - by Rick Strahl
    Recently I was working on updating a legacy application to MVC 4 that included free form text input. When I set up the new site my initial approach was to not allow any rich HTML input, only simple text formatting that would respect a few simple HTML commands for bold, lists etc. and automatically handles line break processing for new lines and paragraphs. This is typical for what I do with most multi-line text input in my apps and it works very well with very little development effort involved. Then the client sprung another note: Oh by the way we have a bunch of customers (real estate agents) who need to post complete HTML documents. Oh uh! There goes the simple theory. After some discussion and pleading on my part (<snicker>) to try and avoid this type of raw HTML input because of potential XSS issues, the client decided to go ahead and allow raw HTML input anyway. There has been lots of discussions on this subject on StackOverFlow (and here and here) but to after reading through some of the solutions I didn't really find anything that would work even closely for what I needed. Specifically we need to be able to allow just about any HTML markup, with the exception of script code. Remote CSS and Images need to be loaded, links need to work and so. While the 'legit' HTML posted by these agents is basic in nature it does span most of the full gamut of HTML (4). Most of the solutions XSS prevention/sanitizer solutions I found were way to aggressive and rendered the posted output unusable mostly because they tend to strip any externally loaded content. In short I needed a custom solution. I thought the best solution to this would be to use an HTML parser - in this case the Html Agility Pack - and then to run through all the HTML markup provided and remove any of the blacklisted tags and a number of attributes that are prone to JavaScript injection. There's much discussion on whether to use blacklists vs. whitelists in the discussions mentioned above, but I found that whitelists can make sense in simple scenarios where you might allow manual HTML input, but when you need to allow a larger array of HTML functionality a blacklist is probably easier to manage as the vast majority of elements and attributes could be allowed. Also white listing gets a bit more complex with HTML5 and the new proliferation of new HTML tags and most new tags generally don't affect XSS issues directly. Pure whitelisting based on elements and attributes also doesn't capture many edge cases (see some of the XSS cheat sheets listed below) so even with a white list, custom logic is still required to handle many of those edge cases. The Microsoft Web Protection Library (AntiXSS) My first thought was to check out the Microsoft AntiXSS library. Microsoft has an HTML Encoding and Sanitation library in the Microsoft Web Protection Library (formerly AntiXSS Library) on CodePlex, which provides stricter functions for whitelist encoding and sanitation. Initially I thought the Sanitation class and its static members would do the trick for me,but I found that this library is way too restrictive for my needs. Specifically the Sanitation class strips out images and links which rendered the full HTML from our real estate clients completely useless. I didn't spend much time with it, but apparently I'm not alone if feeling this library is not really useful without some way to configure operation. To give you an example of what didn't work for me with the library here's a small and simple HTML fragment that includes script, img and anchor tags. I would expect the script to be stripped and everything else to be left intact. Here's the original HTML:var value = "<b>Here</b> <script>alert('hello')</script> we go. Visit the " + "<a href='http://west-wind.com'>West Wind</a> site. " + "<img src='http://west-wind.com/images/new.gif' /> " ; and the code to sanitize it with the AntiXSS Sanitize class:@Html.Raw(Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(value)) This produced a not so useful sanitized string: Here we go. Visit the <a>West Wind</a> site. While it removed the <script> tag (good) it also removed the href from the link and the image tag altogether (bad). In some situations this might be useful, but for most tasks I doubt this is the desired behavior. While links can contain javascript: references and images can 'broadcast' information to a server, without configuration to tell the library what to restrict this becomes useless to me. I couldn't find any way to customize the white list, nor is there code available in this 'open source' library on CodePlex. Using Html Agility Pack for HTML Parsing The WPL library wasn't going to cut it. After doing a bit of research I decided the best approach for a custom solution would be to use an HTML parser and inspect the HTML fragment/document I'm trying to import. I've used the HTML Agility Pack before for a number of apps where I needed an HTML parser without requiring an instance of a full browser like the Internet Explorer Application object which is inadequate in Web apps. In case you haven't checked out the Html Agility Pack before, it's a powerful HTML parser library that you can use from your .NET code. It provides a simple, parsable HTML DOM model to full HTML documents or HTML fragments that let you walk through each of the elements in your document. If you've used the HTML or XML DOM in a browser before you'll feel right at home with the Agility Pack. Blacklist based HTML Parsing to strip XSS Code For my purposes of HTML sanitation, the process involved is to walk the HTML document one element at a time and then check each element and attribute against a blacklist. There's quite a bit of argument of what's better: A whitelist of allowed items or a blacklist of denied items. While whitelists tend to be more secure, they also require a lot more configuration. In the case of HTML5 a whitelist could be very extensive. For what I need, I only want to ensure that no JavaScript is executed, so a blacklist includes the obvious <script> tag plus any tag that allows loading of external content including <iframe>, <object>, <embed> and <link> etc. <form>  is also excluded to avoid posting content to a different location. I also disallow <head> and <meta> tags in particular for my case, since I'm only allowing posting of HTML fragments. There is also some internal logic to exclude some attributes or attributes that include references to JavaScript or CSS expressions. The default tag blacklist reflects my use case, but is customizable and can be added to. Here's my HtmlSanitizer implementation:using System.Collections.Generic; using System.IO; using System.Xml; using HtmlAgilityPack; namespace Westwind.Web.Utilities { public class HtmlSanitizer { public HashSet<string> BlackList = new HashSet<string>() { { "script" }, { "iframe" }, { "form" }, { "object" }, { "embed" }, { "link" }, { "head" }, { "meta" } }; /// <summary> /// Cleans up an HTML string and removes HTML tags in blacklist /// </summary> /// <param name="html"></param> /// <returns></returns> public static string SanitizeHtml(string html, params string[] blackList) { var sanitizer = new HtmlSanitizer(); if (blackList != null && blackList.Length > 0) { sanitizer.BlackList.Clear(); foreach (string item in blackList) sanitizer.BlackList.Add(item); } return sanitizer.Sanitize(html); } /// <summary> /// Cleans up an HTML string by removing elements /// on the blacklist and all elements that start /// with onXXX . /// </summary> /// <param name="html"></param> /// <returns></returns> public string Sanitize(string html) { var doc = new HtmlDocument(); doc.LoadHtml(html); SanitizeHtmlNode(doc.DocumentNode); //return doc.DocumentNode.WriteTo(); string output = null; // Use an XmlTextWriter to create self-closing tags using (StringWriter sw = new StringWriter()) { XmlWriter writer = new XmlTextWriter(sw); doc.DocumentNode.WriteTo(writer); output = sw.ToString(); // strip off XML doc header if (!string.IsNullOrEmpty(output)) { int at = output.IndexOf("?>"); output = output.Substring(at + 2); } writer.Close(); } doc = null; return output; } private void SanitizeHtmlNode(HtmlNode node) { if (node.NodeType == HtmlNodeType.Element) { // check for blacklist items and remove if (BlackList.Contains(node.Name)) { node.Remove(); return; } // remove CSS Expressions and embedded script links if (node.Name == "style") { if (string.IsNullOrEmpty(node.InnerText)) { if (node.InnerHtml.Contains("expression") || node.InnerHtml.Contains("javascript:")) node.ParentNode.RemoveChild(node); } } // remove script attributes if (node.HasAttributes) { for (int i = node.Attributes.Count - 1; i >= 0; i--) { HtmlAttribute currentAttribute = node.Attributes[i]; var attr = currentAttribute.Name.ToLower(); var val = currentAttribute.Value.ToLower(); span style="background: white; color: green">// remove event handlers if (attr.StartsWith("on")) node.Attributes.Remove(currentAttribute); // remove script links else if ( //(attr == "href" || attr== "src" || attr == "dynsrc" || attr == "lowsrc") && val != null && val.Contains("javascript:")) node.Attributes.Remove(currentAttribute); // Remove CSS Expressions else if (attr == "style" && val != null && val.Contains("expression") || val.Contains("javascript:") || val.Contains("vbscript:")) node.Attributes.Remove(currentAttribute); } } } // Look through child nodes recursively if (node.HasChildNodes) { for (int i = node.ChildNodes.Count - 1; i >= 0; i--) { SanitizeHtmlNode(node.ChildNodes[i]); } } } } } Please note: Use this as a starting point only for your own parsing and review the code for your specific use case! If your needs are less lenient than mine were you can you can make this much stricter by not allowing src and href attributes or CSS links if your HTML doesn't allow it. You can also check links for external URLs and disallow those - lots of options.  The code is simple enough to make it easy to extend to fit your use cases more specifically. It's also quite easy to make this code work using a WhiteList approach if you want to go that route. The code above is semi-generic for allowing full featured HTML fragments that only disallow script related content. The Sanitize method walks through each node of the document and then recursively drills into all of its children until the entire document has been traversed. Note that the code here uses an XmlTextWriter to write output - this is done to preserve XHTML style self-closing tags which are otherwise left as non-self-closing tags. The sanitizer code scans for blacklist elements and removes those elements not allowed. Note that the blacklist is configurable either in the instance class as a property or in the static method via the string parameter list. Additionally the code goes through each element's attributes and looks for a host of rules gleaned from some of the XSS cheat sheets listed at the end of the post. Clearly there are a lot more XSS vulnerabilities, but a lot of them apply to ancient browsers (IE6 and versions of Netscape) - many of these glaring holes (like CSS expressions - WTF IE?) have been removed in modern browsers. What a Pain To be honest this is NOT a piece of code that I wanted to write. I think building anything related to XSS is better left to people who have far more knowledge of the topic than I do. Unfortunately, I was unable to find a tool that worked even closely for me, or even provided a working base. For the project I was working on I had no choice and I'm sharing the code here merely as a base line to start with and potentially expand on for specific needs. It's sad that Microsoft Web Protection Library is currently such a train wreck - this is really something that should come from Microsoft as the systems vendor or possibly a third party that provides security tools. Luckily for my application we are dealing with a authenticated and validated users so the user base is fairly well known, and relatively small - this is not a wide open Internet application that's directly public facing. As I mentioned earlier in the post, if I had my way I would simply not allow this type of raw HTML input in the first place, and instead rely on a more controlled HTML input mechanism like MarkDown or even a good HTML Edit control that can provide some limits on what types of input are allowed. Alas in this case I was overridden and we had to go forward and allow *any* raw HTML posted. Sometimes I really feel sad that it's come this far - how many good applications and tools have been thwarted by fear of XSS (or worse) attacks? So many things that could be done *if* we had a more secure browser experience and didn't have to deal with every little script twerp trying to hack into Web pages and obscure browser bugs. So much time wasted building secure apps, so much time wasted by others trying to hack apps… We're a funny species - no other species manages to waste as much time, effort and resources as we humans do :-) Resources Code on GitHub Html Agility Pack XSS Cheat Sheet XSS Prevention Cheat Sheet Microsoft Web Protection Library (AntiXss) StackOverflow Links: http://stackoverflow.com/questions/341872/html-sanitizer-for-net http://blog.stackoverflow.com/2008/06/safe-html-and-xss/ http://code.google.com/p/subsonicforums/source/browse/trunk/SubSonic.Forums.Data/HtmlScrubber.cs?r=61© Rick Strahl, West Wind Technologies, 2005-2012Posted in Security  HTML  ASP.NET  JavaScript   Tweet !function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs"); (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = 'https://apis.google.com/js/plusone.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })();

    Read the article

  • How Do I Prevent a XSS Cross-Site Scripting Attack When Using jQueryUI Autocomplete

    - by theschmitzer
    I am checking for XSS vulnerabilities in a web application I am developing. This Rails app uses the h method to sanitize HTML it generates. It does, however, make use of the jQueryUI autocomplete widget (new in latest release), where I don't have control over the generated HTML, and I see tags are not getting escaped there. The data fed to autocomplete is retrieved through a JSON request immediately before display. I Possibilities: 1) Autocomplete has an option to sanitize I don't know about 2) There is an easy way to do this in jQuery I don't know about 3) There is an easy way to do this in a Rails controller I don't know about (where I can't use the h method) 4) Disallow < symbol in the model Sugestions?

    Read the article

  • Prevent SQL Injection in Dynamic column names

    - by Mr Shoubs
    I can't get away without writing some dynamic sql conditions in a part of my system (using Postgres). My question is how best to avoid SQL Injection with the method I am currently using. EDIT (Reasoning): There are many of columns in a number of tables (a number which grows (only) and is maintained elsewhere). I need a method of allowing the user to decide which (predefined) column they want to query (and if necessary apply string functions to). The query itself is far too complex for the user to write themselves, nor do they have access to the db. There are 1000's of users with varying requirements and I need to remain as flexible as possible - I shouldn't have to revisit the code unless the main query needs to change - Also, there is no way of knowing what conditions the user will need to use. I have objects (received via web service) that generates a condition (the generation method is below - it isn't perfect yet) for some large sql queries. The _FieldName is user editable (parameter name was, but it didn't need to be) and I am worried it could be an attack vector. I put double quotes (see quoted identifier) around the field name in an attempt to sanitize the string, this way it can never be a key word. I could also look up the field name against a list of fields, but it would be difficult to maintain on a timely basis. Unfortunately the user must enter the condition criteria, I am sure there must be more I can add to the sanatize method? and does quoting the column name make it safe? (my limited testing seems to think so). an example built condition would be "AND upper(brandloaded.make) like 'O%' and upper(brandloaded.make) not like 'OTHERBRAND'" ... Any help or suggestions are appreciated. Public Function GetCondition() As String Dim sb As New Text.StringBuilder 'put quote around the table name in an attempt to prevent some sql injection 'http://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html sb.AppendFormat(" {0} ""{1}"" ", _LogicOperator.ToString, _FieldName) Select Case _ConditionOperator Case ConditionOperatorOptions.Equals sb.Append(" = ") ... End Select sb.AppendFormat(" {0} ", Me.UniqueParameterName) 'for parameter Return Me.Sanitize(sb) End Function Private Function Sanitize(ByVal sb As Text.StringBuilder) As String 'compare against a similar blacklist mentioned here: http://forums.asp.net/t/1254125.aspx sb.Replace(";", "") sb.Replace("'", "") sb.Replace("\", "") sb.Replace(Chr(8), "") Return sb.ToString End Function Public ReadOnly Property UniqueParameterName() As String Get Return String.Concat(":" _UniqueIdentifier) End Get End Property

    Read the article

  • MVC - Sanitizing data, where?

    - by dierre
    I'm using CakePHP but it's a question about the MVC pattern. I have in my form the input-text for the tags (separated by commas). To add the tags I've created a Tag model method that basically check if the tag exists and then add the new tag or just a new unit in the tag counter (the Tag model has these fields: id, name, slug, count). In the controller I explode the tags field and pass one tag at a time. The question is: where do I sanitize data? In the controller or in the model method? I think it should be in the controller because that's where I explode but in term of reusability I think I should sanitize data in the model. What do you think?

    Read the article

  • How to Global onRouteRequest directly to onBadRequest?

    - by virtualeyes
    EDIT Came up with this to sanitize URI date params prior to passing off to Play router val ymdMatcher = "\\d{8}".r // matcher for yyyyMMdd URI param val ymdFormat = org.joda.time.format.DateTimeFormat.forPattern("yyyyMMdd") def ymd2Date(ymd: String) = ymdFormat.parseDateTime(ymd) override def onRouteRequest(r: RequestHeader): Option[Handler] = { import play.api.i18n.Messages ymdMatcher.findFirstIn(r.uri) map{ ymd=> try { ymd2Date( ymd); super.onRouteRequest(r) } catch { case e:Exception => // kick to "bad" action handler on invalid date Some(controllers.Application.bad(Messages("bad.date.format"))) } } getOrElse(super.onRouteRequest(r)) } ORIGINAL Let's say I want to return a BadRequest result type for all /foo URIs: override def onBadRequest(r: RequestHeader, error: String) = { BadRequest("Bad Request: " + error) } override def onRouteRequest(r: RequestHeader): Option[Handler] = { if(r.uri.startsWith("/foo") onBadRequest("go away") else super.onRouteRequest(r) } Of course does not work, since the expected return type is Option[play.api.mvc.Handler] What's the idiomatic way to deal with this, create a default Application controller method to handle filtered bad requests? Ideally, since I know in onRouteRequest that /foo is in fact a BadRequest, I'd like to call onBadRequest directly. Should note that this is a contrived example, am actually verifying a URI yyyyMMdd date param, and BadRequest-ing if it does not parse to a JodaTime instance -- basically a catch-all filter to sanitize a given date param rather than handling on every single controller method call, not to mention, avoiding cluttering up application log with useless stack traces re: invalid date parse conversions (have several MBs of these junk trace entries accruing daily due to users pointlessly manipulating the uri date in attempts to get at paid subscriber content)

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 1 2 3 4 5 6  | Next Page >