Search Results

Search found 236 results on 10 pages for 'xss'.

Page 7/10 | < Previous Page | 3 4 5 6 7 8 9 10  | Next Page >

  • RequestValidation Changes in ASP.NET 4.0

    - by Rick Strahl
    There’s been a change in the way the ValidateRequest attribute on WebForms works in ASP.NET 4.0. I noticed this today while updating a post on my WebLog all of which contain raw HTML and so all pretty much trigger request validation. I recently upgraded this app from ASP.NET 2.0 to 4.0 and it’s now failing to update posts. At first this was difficult to track down because of custom error handling in my app – the custom error handler traps the exception and logs it with only basic error information so the full detail of the error was initially hidden. After some more experimentation in development mode the error that occurs is the typical ASP.NET validate request error (‘A potentially dangerous Request.Form value was detetected…’) which looks like this in ASP.NET 4.0: At first when I got this I was real perplexed as I didn’t read the entire error message and because my page does have: <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="NewEntry.aspx.cs" Inherits="Westwind.WebLog.NewEntry" MasterPageFile="~/App_Templates/Standard/AdminMaster.master" ValidateRequest="false" EnableEventValidation="false" EnableViewState="false" %> WTF? ValidateRequest would seem like it should be enough, but alas in ASP.NET 4.0 apparently that setting alone is no longer enough. Reading the fine print in the error explains that you need to explicitly set the requestValidationMode for the application back to V2.0 in web.config: <httpRuntime executionTimeout="300" requestValidationMode="2.0" /> Kudos for the ASP.NET team for putting up a nice error message that tells me how to fix this problem, but excuse me why the heck would you change this behavior to require an explicit override to an optional and by default disabled page level switch? You’ve just made a relatively simple fix to a solution a nasty morass of hard to discover configuration settings??? The original way this worked was perfectly discoverable via attributes in the page. Now you can set this setting in the page and get completely unexpected behavior and you are required to set what effectively amounts to a backwards compatibility flag in the configuration file. It turns out the real reason for the .config flag is that the request validation behavior has moved from WebForms pipeline down into the entire ASP.NET/IIS request pipeline and is now applied against all requests. Here’s what the breaking changes page from Microsoft says about it: The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, request validation was enabled by default. However, it applied only to ASP.NET pages (.aspx files and their class files) and only when those pages were executing. In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request. As a result, request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file: <httpRuntime requestValidationMode="2.0" /> However, we recommend that you analyze any request validation errors to determine whether existing handlers, modules, or other custom code accesses potentially unsafe HTTP inputs that could be XSS attack vectors. Ok, so ValidateRequest of the form still works as it always has but it’s actually the ASP.NET Event Pipeline, not WebForms that’s throwing the above exception as request validation is applied to every request that hits the pipeline. Creating the runtime override removes the HttpRuntime checking and restores the WebForms only behavior. That fixes my immediate problem but still leaves me wondering especially given the vague wording of the above explanation. One thing that’s missing in the description is above is one important detail: The request validation is applied only to application/x-www-form-urlencoded POST content not to all inbound POST data. When I first read this this freaked me out because it sounds like literally ANY request hitting the pipeline is affected. To make sure this is not really so I created a quick handler: public class Handler1 : IHttpHandler { public void ProcessRequest(HttpContext context) { context.Response.ContentType = "text/plain"; context.Response.Write("Hello World <hr>" + context.Request.Form.ToString()); } public bool IsReusable { get { return false; } } } and called it with Fiddler by posting some XML to the handler using a default form-urlencoded POST content type: and sure enough – hitting the handler also causes the request validation error and 500 server response. Changing the content type to text/xml effectively fixes the problem however, bypassing the request validation filter so Web Services/AJAX handlers and custom modules/handlers that implement custom protocols aren’t affected as long as they work with special input content types. It also looks that multipart encoding does not trigger event validation of the runtime either so this request also works fine: POST http://rasnote/weblog/handler1.ashx HTTP/1.1 Content-Type: multipart/form-data; boundary=------7cf2a327f01ae User-Agent: West Wind Internet Protocols 5.53 Host: rasnote Content-Length: 40 Pragma: no-cache <xml>asdasd</xml>--------7cf2a327f01ae *That* probably should trigger event validation – since it is a potential HTML form submission, but it doesn’t. New Runtime Feature, Global Scope Only? Ok, so request validation is now a runtime feature but sadly it’s a feature that’s scoped to the ASP.NET Runtime – effective scope to the entire running application/app domain. You can still manually force validation using Request.ValidateInput() which gives you the option to do this in code, but that realistically will only work with the requestValidationMode set to V2.0 as well since the 4.0 mode auto-fires before code ever gets a chance to intercept the call. Given all that, the new setting in ASP.NET 4.0 seems to limit options and makes things more difficult and less flexible. Of course Microsoft gets to say ASP.NET is more secure by default because of it but what good is that if you have to turn off this flag the very first time you need to allow one single request that bypasses request validation??? This is really shortsighted design… <sigh>© Rick Strahl, West Wind Technologies, 2005-2010Posted in ASP.NET  

    Read the article

  • Secure Your Wireless Router: 8 Things You Can Do Right Now

    - by Chris Hoffman
    A security researcher recently discovered a backdoor in many D-Link routers, allowing anyone to access the router without knowing the username or password. This isn’t the first router security issue and won’t be the last. To protect yourself, you should ensure that your router is configured securely. This is about more than just enabling Wi-Fi encryption and not hosting an open Wi-Fi network. Disable Remote Access Routers offer a web interface, allowing you to configure them through a browser. The router runs a web server and makes this web page available when you’re on the router’s local network. However, most routers offer a “remote access” feature that allows you to access this web interface from anywhere in the world. Even if you set a username and password, if you have a D-Link router affected by this vulnerability, anyone would be able to log in without any credentials. If you have remote access disabled, you’d be safe from people remotely accessing your router and tampering with it. To do this, open your router’s web interface and look for the “Remote Access,” “Remote Administration,” or “Remote Management” feature. Ensure it’s disabled — it should be disabled by default on most routers, but it’s good to check. Update the Firmware Like our operating systems, web browsers, and every other piece of software we use, router software isn’t perfect. The router’s firmware — essentially the software running on the router — may have security flaws. Router manufacturers may release firmware updates that fix such security holes, although they quickly discontinue support for most routers and move on to the next models. Unfortunately, most routers don’t have an auto-update feature like Windows and our web browsers do — you have to check your router manufacturer’s website for a firmware update and install it manually via the router’s web interface. Check to be sure your router has the latest available firmware installed. Change Default Login Credentials Many routers have default login credentials that are fairly obvious, such as the password “admin”. If someone gained access to your router’s web interface through some sort of vulnerability or just by logging onto your Wi-Fi network, it would be easy to log in and tamper with the router’s settings. To avoid this, change the router’s password to a non-default password that an attacker couldn’t easily guess. Some routers even allow you to change the username you use to log into your router. Lock Down Wi-Fi Access If someone gains access to your Wi-Fi network, they could attempt to tamper with your router — or just do other bad things like snoop on your local file shares or use your connection to downloaded copyrighted content and get you in trouble. Running an open Wi-Fi network can be dangerous. To prevent this, ensure your router’s Wi-Fi is secure. This is pretty simple: Set it to use WPA2 encryption and use a reasonably secure passphrase. Don’t use the weaker WEP encryption or set an obvious passphrase like “password”. Disable UPnP A variety of UPnP flaws have been found in consumer routers. Tens of millions of consumer routers respond to UPnP requests from the Internet, allowing attackers on the Internet to remotely configure your router. Flash applets in your browser could use UPnP to open ports, making your computer more vulnerable. UPnP is fairly insecure for a variety of reasons. To avoid UPnP-based problems, disable UPnP on your router via its web interface. If you use software that needs ports forwarded — such as a BitTorrent client, game server, or communications program — you’ll have to forward ports on your router without relying on UPnP. Log Out of the Router’s Web Interface When You’re Done Configuring It Cross site scripting (XSS) flaws have been found in some routers. A router with such an XSS flaw could be controlled by a malicious web page, allowing the web page to configure settings while you’re logged in. If your router is using its default username and password, it would be easy for the malicious web page to gain access. Even if you changed your router’s password, it would be theoretically possible for a website to use your logged-in session to access your router and modify its settings. To prevent this, just log out of your router when you’re done configuring it — if you can’t do that, you may want to clear your browser cookies. This isn’t something to be too paranoid about, but logging out of your router when you’re done using it is a quick and easy thing to do. Change the Router’s Local IP Address If you’re really paranoid, you may be able to change your router’s local IP address. For example, if its default address is 192.168.0.1, you could change it to 192.168.0.150. If the router itself were vulnerable and some sort of malicious script in your web browser attempted to exploit a cross site scripting vulnerability, accessing known-vulnerable routers at their local IP address and tampering with them, the attack would fail. This step isn’t completely necessary, especially since it wouldn’t protect against local attackers — if someone were on your network or software was running on your PC, they’d be able to determine your router’s IP address and connect to it. Install Third-Party Firmwares If you’re really worried about security, you could also install a third-party firmware such as DD-WRT or OpenWRT. You won’t find obscure back doors added by the router’s manufacturer in these alternative firmwares. Consumer routers are shaping up to be a perfect storm of security problems — they’re not automatically updated with new security patches, they’re connected directly to the Internet, manufacturers quickly stop supporting them, and many consumer routers seem to be full of bad code that leads to UPnP exploits and easy-to-exploit backdoors. It’s smart to take some basic precautions. Image Credit: Nuscreen on Flickr     

    Read the article

  • Ironport X-Junk header.

    - by Kyle
    My school uses Ironport for filtering/monitoring web traffic. I have a bit of curiosity as to why it tacks on a x-junk: header onto everything. After going through a few curl tests, I've found no real connection between what is shown on the page and the x-junk: header. here's my curl request: any ideas? Anchorage:~ khotchkiss$ curl -I google.com HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ Content-Type: text/html; charset=UTF-8 Date: Sun, 06 Feb 2011 04:37:25 GMT Expires: Tue, 08 Mar 2011 04:37:25 GMT Cache-Control: public, max-age=2592000 Server: gws X-XSS-Protection: 1; mode=block Content-Length: 219 Age: 108 Via: 1.1 MC-IRONPORT.UNIVERSITY.LIBERTY.EDU:80 (IronPort-WSA/6.3.3-015) Connection: keep-alive X-Junk: xxxxxxxxxxxxxxxxxxxxxxx

    Read the article

  • What are some good, free tools to run automated security audits for PHP code?

    - by James Simpson
    I've been looking for some time now and have come up short. The most promising I found was Spike PHP, which seems to no longer work. I'm looking to scan my code for potential risks of SQL Injection, XSS, etc. I've gone through most of my code manually, but with a few hundred thousand lines of code, I'm sure I missed things. If possible, are there any tools that can be downloaded and analyze code on my local machine rather than installing to the live server (this isn't a requirement if not)?

    Read the article

  • Security question pertaining web application deployment

    - by orokusaki
    I am about to deploy a web application (in a couple months) with the following set-up (perhaps anyways): Ubuntu Lucid Lynx with: IP Tables firewall (white-list style with only 3 ports open) Custom SSH port (like 31847 or something) No "root" SSH access Long, random username (not just "admin" or something) with a long password (65 chars) PostgreSQL which only listens to localhost 256 bit SSL Cert Reverse proxy from NGINX to my application server (UWSGI) Assume that my colo is secure (Physical access isn't my concern for the time being) Application-level security (SQL injection, XSS, Directory Traversal, CSRF, etc) Perhaps IP masquerading (but I don't really understand this yet) Does this sound like a secure setup? I hear about people's web apps getting hacked all the time, and part of me thinks, "maybe they're just neglecting something", but the other part of me thinks, "maybe there's nothing you can do to protect your server, and those things are just measures to make it a little harder for script kiddies to get in". If I told you all of this, gave you my IP address, and told you what ports were available, would it be possible for you to get in (assuming you have a penetration testing tool), or is this really protected well.

    Read the article

  • Web Application Vulnerability Scanner suggestions?

    - by Chris_K
    I'm looking for a new tool for the ol' admin toolkit and would value some suggestions. I would like to do some "automated" testing of handful of websites for XSS (cross site scripting) vulns, along with checking for SQL injection opportunities. I realize that an automated tool approach isn't necessarily the only or best solution, but I'm hoping it would give me a nice start. The sites I need to scan cover the range in stacks from PHP / MySQL to Coldfusion, with some classic ASP and ASP.NET mixed in for good measure. What tools would you use to scan for Web application vulns? (Please note I'm focusing on the web apps directly, not the servers themselves).

    Read the article

  • Java on 256MB system?

    - by Mike S.
    For a school project, I've registered a free VPS on a hosting provider (pipni.cz). It has 256MB RAM: Mem: 262144k total, 148104k used, 114040k free, 0k buffers It's running on Debian Squeeze. I always get this error when I run a Java program: Error occurred during initialization of VM Could not reserve enough space for object heap Could not create the Java virtual machine. I tried to use Xms, Xmx, Xss with low values and still same result. ulimit -v gives me "unlimited". My application will be pretty simple and I need to use rmiregistry also. Can somebody help?

    Read the article

  • HTML Markup in einem APEX Tree - ganz einfach per Plugin!

    - by carstenczarski
    Die APEX Tree Region kennt sicherlich jeder APEX-Entwickler. Und vielfach besteht der Bedarf, das Aussehen des APEX Tree mit Hilfe von HTML Markup zu beeinflussen. Leider ist es seit APEX 4.0 nicht mehr möglich, eigenes HTML-Markup in einen APEX-Tree aufzunehmen - aus Sicherheitsgründen (Schutz vor Cross-Site-Scripting) werden alle HTML Sonderzeichen maskiert. Wenn kein XSS-Risiko besteht (die vom Tree dargestellten Inhalte basieren nicht auf Benutzereingaben und werden komplett vom Entwickler bestimmt), kann dies mit wenigen Zeilen JavaScript und jQuery-Code erreicht werden. Damit es noch einfacher wird,  haben wir die Funktionalität für Sie in einem APEX-Plugin gekapselt. Und so funktioniert es: APEX Plugin "HTML Markup for APEX Tree Region" herunterladenhttp://apex-plugin.com/oracle-apex-plugins/dynamic-action-plugin/html-markup-for-apex-tree_174.html APEX Plugin in die Anwendung importieren APEX Tree Region erzeugen und eigene Ersetzungen für HTML-Sonderzeichen verwenden, also bspw."[" für "<", "]" für ">" und "§" für "&". Eine neue dynamische Aktion erzeugen, die beim Laden der Seite ausgeführt wird und mit Hilfe des Plugins die Ersetzungen im Tree durch die "richtigen" HTML-Sonderzeichen ersetzt. Fertig. Wie das Plugin wirkt, können Sie sich auf einer Demo-Seite ansehen.

    Read the article

  • DevDays ‘00 The Netherlands day #2

    - by erwin21
    Day 2 of DevDays 2010 and again 5 interesting sessions at the World Forum in The Hague. The first session of the today in the big world forum theater was from Scott Hanselman, he gives a lap around .NET 4.0. In his way of presenting he talked about all kind of new features of .NET 4.0 like MEF, threading, parallel processing, changes and additions to the CLR and DLR, WPF and all new language features of .NET 4.0. After a small break it was ready for session 2 from Scott Allen about Tips, Tricks and Optimizations of LINQ. He talked about lazy and deferred executions, the difference between IQueryable and IEnumerable and the two flavors of LINQ syntax. The lunch was again very good prepared and delicious, but after that it was time for session 3 Web Vulnerabilities and Exploits from Alex Thissen. This was no normal session but more like a workshop, we decided what kind of subjects we discussed, the subjects where OWASP, XSS and other injections, validation, encoding. He gave some handy tips and tricks how to prevent such attacks. Session 4 was about the new features of C# 4.0 from Alex van Beek. He talked about Optional- en Named Parameters, Generic Co- en Contra Variance, Dynamic keyword and COM Interop features. He showed how to use them but also when not to use them. The last session of today and also the last session of DevDays 2010 was about WCF Best Practices from Gerben van Loon. He talked about 7 best practices that you must know when you are going to use WCF. With some quick demos he showed the problem and the solution for some common issues. It where two interesting days and next year i sure will be attending again.

    Read the article

  • does my js replace view?

    - by Milla Well
    I am writing a web application which is based on Codeigniter and jQuery. I primarily use ajax to call my controller functions and it turned out, that there are just 4 view*.php files, because most of my contoller functions return JSON data, which is processed in my jQuery. So my actual code is divided in kind of MVCC model: Codeigniter model (db, computations) Codeigniter controller (filtering, xss-cleaning, checking permissions, call model functions) jQuery controller (callback functions) jQuery view (adding/removing classes, appending elements,... ) So I violate the paradigm of not using the echo function in my Codeiginter controller and simply call echo json_encode($result); because it doesn't make any sense to me to create a view*.php file for one loc. Especially because all the regular view*.php stuff is covered in my jQuery view. I was wondering if I am missing something out, or if there is a way to integrate this jQuery-controller in my Codeigniter. I found some words on this topic, but this seems pretty handmade. Are there some neat solutions? Does a MVCC model make sense?

    Read the article

  • ASP.NET MVC Application In Action - I (DailyJournal)

    - by Rajesh Pillai
    Its been long due I was planning to write an article on creating some useful ASP.NET MVC application. I have code named it "DailyJournal". Its a simple application which allows creation of multiple activities and assign tasks to these activities. Its' kind of "Yet another Task/Todo application". The credentials which you can use with the attached demo application is shown below.   Collapse Copy Code User Name : admin Password : admin123 Framework/Libraries Used ASP.NET MVC jQuery + jQuery UI (for ajax and UI) ELMAH for Error logging Warning Ahead This is just a rough draft and so I am putting down some of the known limitation. Some points of warning before we move further with this application. This is just an early prototype. As such many of the design principles have been ignored. But, I try to cover that up in the next update once I get my head around this. The application in its current state supports the following features Create users Assign Activities to users Assign tasks to activities Assign a status to a task The user creation/authentication is being done by the default Membership provider. Most of the activities are highly visual i.e. you can drag-drop task to different areas, in-place edition of task details and so on.   The following are the current issues with the design which I promise to refactor in the second version. No Validations Fat Controller XSS/CSS vulnerable No Service model/abstraction yet. For the demo LINQ to SQL is implemented. No separation of layers UI Design et el... This is just an extract.  For source code and more information proceed to http://www.codeproject.com/KB/aspnet/mvcinaction.aspx Hope you like this!

    Read the article

  • Restful Java based web services in json + html5 and javascript no templates (jsp/jsf/freemarker) aka fat/thick client

    - by Ismail Marmoush
    I have this idea of building a website which service JSON data through restful services framework. And will not use any template engines like jsp/jsf/freemarker. Just pure html5 and Javascript libs. What do you think of the pros and cons of such design ? Just for elaboration and brain storming a friend of mine argued with the following concerns: sounds like gwt this way you won't have any control over you service api for example say you wanna charge the user per request how will you handle it? how will you control your design and themes? what about the 1st request the browser make? not easy with this all of the user's requests will come with "Accept" header "application/json" how will you separate browser from abuser? this way all of your public apis will be used by third party apps abusively and you won't be able to lock it since you won't be able to block the normal user browser We won't use compiled html anyway but may be something like freemarker and in that case you won't expose any of your json resources to the unauthorized user but you will expose all the html since any browser can access them all the well known 1st class services do this can you send me links to what you've read? keep in mind the DOM based XSS it will be a nightmare ofc, if what you say is applicable.

    Read the article

  • Massive 404 attack with non existent URLs. How to prevent this?

    - by tattvamasi
    The problem is a whole load of 404 errors, as reported by Google Webmaster Tools, with pages and queries that have never been there. One of them is viewtopic.php, and I've also noticed a scary number of attempts to check if the site is a WordPress site (wp_admin) and for the cPanel login. I block TRACE already, and the server is equipped with some defense against scanning/hacking. However, this doesn't seem to stop. The referrer is, according to Google Webmaster, totally.me. I have looked for a solution to stop this, because it isn't certainly good for the poor real actual users, let alone the SEO concerns. I am using the Perishable Press mini black list (found here), a standard referrer blocker (for porn, herbal, casino sites), and even some software to protect the site (XSS blocking, SQL injection, etc). The server is using other measures as well, so one would assume that the site is safe (hopefully), but it isn't ending. Does anybody else have the same problem, or am I the only one seeing this? Is it what I think, i.e., some sort of attack? Is there a way to fix it, or better, prevent this useless resource waste? EDIT I've never used the question to thank for the answers, and hope this can be done. Thank you all for your insightful replies, which helped me to find my way out of this. I have followed everyone's suggestions and implemented the following: a honeypot a script that listens to suspect urls in the 404 page and sends me an email with user agent/ip, while returning a standard 404 header a script that rewards legitimate users, in the same 404 custom page, in case they end up clicking on one of those urls. In less than 24 hours I have been able to isolate some suspect IPs, all listed in Spamhaus. All the IPs logged so far belong to spam VPS hosting companies. Thank you all again, I would have accepted all answers if I could.

    Read the article

  • Should this be written in C or php?

    - by user1867842
    This is my code; it speaks for itself on what I'm trying to do. <?php define("html","<html>"); define("htmlEnd","</html>"); etc... etc... ?> What I'm trying to do is make a wrapper for html's tags so they won't be needed anymore. But I can't get any of the attributes for html elements to be defined in PHP. This again speaks for itself; I don't know any other way of saying this. I guess how would I make another mark-up language like HTML without any tags but still keep everything about HTML is what I'm trying to say. My idea is for preventing XSS. For example, creating a special framework for the website itself that way there is no way any malicious attacker can guess because they know the HTML or PHP. I just don't want to make my website or something, and then my website gets hacked. Or if I make a website for someone and the website gets hacked. I am going to look like a unprofessional web developer. And what if I never get a job again.

    Read the article

  • Good quality Secure Software Development Training [closed]

    - by Patrick
    Just had my annual appraisal and found out my company is willing to pay for training and exams etc! Woohoo (they kept that one quiet). I'm interested in doing a course on secure development techniques. Has anyone got any suggestions for good quality distance learning courses in secure development (I could probably get a couple of days off to attend a conference/ course if required)? We're mostly an MS .Net house but I have no particular allegiance to MS or any other programming language (though, obviously, C++ is the best language in the world). I have 12 years development experience working in (what are now) PCI:DSS environments, including designing and developing a key management system and I have some knowledge of basic attacks (XSS, injection etc). I would prefer a hard course I struggle with to a basic course I learn 3 things from (but hopefully get something right at my level). A quick google found these two course which look good: http://www.sans.org/course/secure-coding-net-developing-defensible-applications https://www.isc2.org/csslpedu/default.aspx I don't really know how to choose between them, and finding other courses isn't going to make that job any easier, so I thought I'd ask those who know. EDIT : Hmm, care to share the reason for your down vote, will help me learn how to use the site better...

    Read the article

  • CodePlex Daily Summary for Friday, April 02, 2010

    CodePlex Daily Summary for Friday, April 02, 2010New ProjectsAE.Remoting: An alternative means of remoting for .NET to allow for intuitive usage and easy implementation into existing code.animated-smoke-modeling: This is an implementation or a demo of our method to model animated smokes. ASP.NET Google Maps: Extensible and easy to use, this is ASP.NET Google Maps Control. Drag & Drop and is ready to go. You can configure map style, add a PushPin using t...CartPatches able to see: CartPatches able to see youCodemix Cms: Codemix CmsDo the right thing - The Simple TodoManager: A simple Todo Manager which lets you focus on your daily most important tasks/todos. So do the right thing.....at your home, in your office, in you...Fast Console: Fast Console is a simple xml programming language. This may be a really good starting language as there are printing, variables and as soon as poss...Graphing Calculator in Silverlight: This was initially an effort to port a WPF graphing calculator written by Bob Brown (Microsoft) into Silverlight but soon after it became necessary...InformationVSTS: This application allows you to have all informations on VSTS installed. It also lets you know the server of BUILD and project.La Ranisima: La Ranisima is an open source "Space Invaders" alike game totally written in DHTML (JavaScript, CSS and HTML) that uses keyboard. This cross-platfo...La villa del seis: La villa del seis is a multiplatform point-and-click graphical adventure. Also, you can play it like a text adventure (interactive fiction) on a te...LParse: LParse is a monadic parser combinator library, similar to Haskell’s Parsec. It allows you create parsers on C# language. All parsers are first-clas...Manage Recents File/Project VS2005/2008: Clear Recents Files and Projects, and Clear Broken Links of Recents Files and Projects for VS2005 and VS2008. Developed in Visual Studio 2008 SP...Mavention: Mavention makes SharePoint work for you.MixMail: MixMailMixScrum: mixScrumMixTemplate: MixTemplate.NepomucenoBR Regex Learning Tool: This is a simple program designed to help people to study regular expressions.Pruebas: Pruebas is an open source game mix of text adventure and RPG written in Microsoft QBasic (under MS-DOS 6.22) that uses keyboard. Runs natively unde...Python Design by Contract: Simple to use invariants, pre- and postconditions which use some of the new metaprogramming features in Python 3.Rubik Cube's 3D Silverlight 3.0 Animated Solution: Rubik Cube's Silverlight 3.0 Animated Solution is a 3D presentation of Rubik Cube in range of up to 7x7x7 size with full functionality and an anima...Seminarka: Seminarka - ko treba znat šta je zna!SENAC 2010 - Projeto Integrador 2 (Material de Apoio): Material utilizado para apoiar os alunos da disciplina de Projeto integrador 2. O tema são sistemas web utilizando ASP.NET, com C# e banco de da...SENAC CG2010: Contém código apresentado em sala de aula para a disciplina de CG, 5ºBSI NoturnoSistema de facturación: Sistema de facturación desarrollado en C# para la clase de programación 3.SmartFront - WPF and Silverlight Toolkit: SmartFront is a framework piece which allow to quickly building Smart Client application in WPF and in Silverlight. This framework uses existing s...Solar 1: This is the ASP.NET MVC engine based on Oxite and used for 32planets.net.TemporalSQL: SQL Patterns - tables, queries, and functions - to design a temporal database. TFunkOrderSystem: The Funkalistic Blueprint and Items order management systemTribe.Cache: Tribe.Cache is a simple dictionary cache (persistent dictionary) written in C# which is easy to implement and use.tstProject: Testing ProjectUDC indexes parser: UDC (Universal Decimal Classification) indexes parserWebAssert: A test assertion library to assist in writing automated tests against websites. Allows for assertion of HTML validity, etc. Initially has support f...Words Via Subtitle: Words Via Subtitle makes it easier for English Learners to learn new words that appears in TV shows or movies. You'll no longer have to look up the...x5s - a cross site scripting (XSS) testing tool: x5s aims to be a specialized testing tool which assists penetration testers in finding cross-site scripting hot-spots. By auto-injecting token valu...XNA Shooter Engine: The XNA Shooter Engine is a game engine for XNA designed specifically with first-person-shooter-style games in mind. It's being developed for an as...我的开发集: for my study .net csharpNew ReleasesAppFabric Caching Admin Tool: AppFabric Caching Admin Tool 1.1: System Requirements:.NET 4.0 RC AppFabric Caching Beta2 Test On:Win 7 (64x) Note: Must run as Administrator !!!ASP.NET Google Maps: ASP.NET Google Maps 0.1b: Project Description Extensible and easy to use, this is ASP.NET Bing Maps Control. Drag & Drop and is ready to go. You can configure map style, add...AutoFixture: Version 1.0.9 (RC1): This is Release Candidate 1 of AutoFixture 1.1. This release contains no known bugs. Compared to AutoFixture 1.0, it fixes some bugs that were dis...Camlex.NET: Camlex.NET 2.0: Camlex.NET 2.0 release New features Search by field id Support for native System.Guid type for values Search by lookup id and lookup value D...CloudCache - Distributed Cache Tier with Azure: v1.0.0.1: New Release on April 1st 2010 No this is not April fools a new release has made it's way out. Below are the changes: Removed dependency on Azure S...DigitallyCreated Utilities: DigitallyCreated Utilities v1.0.1: This release is the v1.0.1 version of DigitallyCreated Utilities. This update is highly recommended for all users of v1.0.0 as it fixes a critical ...Fast Console: Fast Console Alpha: Fast Console is an easy to use and learn programming language. Code example is found in the file TestFile.xml When you've written your code just sa...Free Silverlight & WPF Chart Control - Visifire: Visifire SL and WPF Charts 3.0.6 beta Released: Hi, This release contains following enhancements. * Zooming feature has been enhanced with the new functionality of ZoomRectangle. Now, users...Graphing Calculator in Silverlight: 1.0.1: Graphing Calculator for Silverlight is written entirely in C# and is based on the Silverlight 3 release. I will soon release the full documentation...Home Access Plus+: v3.2.0.1: v3.2.0.1 Release Change Log: Fixed: Issue with & ampersand File Changes: ~/bin/CHS Extranet.dll ~/bin/CHS Extranet.pdb ~/Scripts/viewmode.jsIcarus Scene Engine: Icarus Professional 2 Alpha 2 v 1.10.329.913: Alpha release 2 of Icarus Professional. This release includes: IcarusX: The ActiveX-based browser control for rendering IPX projects online. Icaru...Line Counter: 1.5.2: The Line Counter is a tool to calculate lines of your code files. The tool was written in .NET 2.0. Line Counter 1.5.2 Added General Code Counter ...ManagedCv: ManagedCv v0.0.0.1: Win32Mavention: Mavention Simple Menu: SharePoint 2010 ships with a menu control that allows you to render a site menu using semantic markup. Using the Mavention Simple Menu you can do t...MDownloader: MDownloader-0.15.10.57200: Fixed uploading.com links detection; Fixed downloading from uploading.com; Fixed downloading from load.to; Fixed detecting incompatible sources;MixMail: V1: MixMailMixTemplate: v1: releaseMvcPager: MvcPager 1.3 for ASP.NET MVC 1.0: MvcPager 1.3 for ASP.NET MVC 1.0 compiled assembly files and demo projectsMvcPager: MvcPager 1.3 for ASP.NET MVC 2.0: MvcPager 1.3 for ASP.NET MVC 2.0 compiled assembly and demo projectsMvcUnity - ASP.NET MVC Dependency Injection: 2.1 Source Code: Drop 2.1 Source CodeNepomucenoBR Regex Learning Tool: NepomucenoBR Regex Learning Tool v0.1 alpha: This is the first version of this application. If you find any bug, please contact me at http://www.nepomucenobr.com.brNepomucenoBR Regex Learning Tool: NepomucenoBR Regex Learning Tool v0.1 source-code: This is the first version of this application. If you find any bug, please contact me at http://www.nepomucenobr.com.brocculo: occulo 0.2 binaries: Release build binaries instead of debug, should now work for other users. Fixed bit rotation and output filename bugs.occulo: occulo 0.2 source: Second source release. See binary release for changes.Python Design by Contract: v0.1: This is the inital release. I think it is working fine.SharePoint Labs: SPLab5002A-FRA-Level200: SPLab5002A-FRA-Level200 This SharePoint Lab will teach you how to modify CAML schema to have IntelliSense on Feature's GUID. Lab Language : French ...SharePoint Labs: SPLab5003A-FRA-Level100: SPLab5003A-FRA-Level100 This SharePoint Lab will teach you how to manually create a Feature, how to brand a Feature and how to incorporate ressourc...SharePoint Labs: SPLab5004A-FRA-Level100: SPLab5004A-FRA-Level100 This SharePoint Lab will teach you how to create a Feature within Visual Studio, how to brand it, how to incorporate ressou...SharePoint Labs: SPLab5005A-FRA-Level100: SPLab5005A-FRA-Level100 This SharePoint Lab will teach you how to create a Feature within Visual Studio, how to brand it, how to incorporate ressou...SSIS ReportGeneratorTask: Version 1.53: Some bugfixes to version 1.52 beta Server Report properties can be displayed. Snapshots can be created. Screenshots of the planned version 1.53 ca...TemporalSQL: April 2010: Initial set of prototypes demonstrating temporal patterns, queries, and functions in SQL ServerTortoiseHg: TortoiseHg 1.0.1: TortoiseHg 1.0.1 is a bug fix release. We recommend all users upgrade to this release. http://bitbucket.org/tortoisehg/stable/wiki/ReleaseNotes#t...Tribe.Cache: Tribe.Cache Alpha: Functional Alpha Release - Do not use in productionTS3QueryLib.Net: TS3QueryLib.Net Version 0.21.15.0: Changelog Added class "ServerListItemBase" which is used in the new method "GetServerListShort" of QueryRunner class. (Change of Beta 21) Added ...UDC indexes parser: Runtime Binary Alpha 1: First alpha versionVisual Studio DSite: Text To Binary (Visual C++ 2008): A simple c program that can convert text to binary. Source code only.x5s - a cross site scripting (XSS) testing tool: x5s 1.0 beta: PLACEHOLDER (coming soon)XNA Shooter Engine: GDK Tools 0.1.0.0: This is a small, very early release of the GDK Tools. The only included tool is Input Map Editor.XPath Visualizer: XPathVisualizer v1.2: Last updated 1 April 2010. This is not a joke! includes new features: Ctrl-S shortcut key for Saving the XML file Ctrl-F shortcut for re-form...すとれおじさん(仮): すとれおじさん β 0.01: とりあえず公開のバージョンです。 中途半端な機能がいっぱいあります。Most Popular ProjectsRawrWBFS ManagerASP.NET Ajax LibraryMicrosoft SQL Server Product Samples: DatabaseSilverlight ToolkitAJAX Control ToolkitWindows Presentation Foundation (WPF)ASP.NETLiveUpload to FacebookMicrosoft SQL Server Community & SamplesMost Active ProjectsRawrGraffiti CMSBase Class LibrariesjQuery Library for SharePoint Web ServicesBlogEngine.NETMicrosoft Biology FoundationN2 CMSLINQ to TwitterManaged Extensibility FrameworkFarseer Physics Engine

    Read the article

  • Which is a good opensource user management system?

    - by Lost_in_code
    I'm new to php/mySQL and am trying to create a website which will allow users to register. In future, there will be a paid content area where content will be shown based on the payment status. Is there a good opensource lightweight framework which takes care of the user management part? (Register, edit user info, retrieve lost password etc). I'm a flash platform developer and not aware of how to take care of stuff like session hijacking, XSS etc. Should I go ahead and learn to do all this on my own, without using any framework? I thought of using Wordpress' user management system, but not sure how easy that would be. Any suggestion would be great.

    Read the article

  • CMS Preventing Bad HTML Insertion by Client?

    - by Jascha
    I'm building a small CMS in PHP for a client and something I've noticed that comes up fairly often is a client will enter a bit of HTML in a field without closing his/her tag. I'm wondering if there is some parsing technique to prevent bad HTML from rendering my whole output page in italics because the user forgot to add a closing </i> tag. I'm not worried about XSS or malicious html, just a forgotten tag here and there as it's the client who is managing the content. Forgive me if this is a duplicate question, I did some searching, but could not find an appropriate answer. -J

    Read the article

  • wmd editor sanitizing

    - by Ke
    hi, i am trying to find ways to sanitize the input of wmd editor Specifically, I am trying to make HTML tags only available in the <code>tags that wmd generates. Is that possible My problem is that the following code is rendered as html which is vunerable to potential xss attacks e.g. <a onmouseover="alert(1)" href="#">read this!</a> The above code renders normally both in preview mode and when saved to the db. I notice that SO doesnt seem to have this problem. The same code is just rendered as text. I notice that SO has shared their code here http://refactormycode.com/codes/333-sanitize-html Do I really have to use c# in order to sanitize wmd to do this? Any help appreciated , cheers Ke

    Read the article

  • JRuby Slick CanvasGameContainer using too much heap memory

    - by Jwosty
    I'm using Java's Slick library (great, by the way) just fine from JRuby. To start a game, I use AppGameContainer which works completely fine and as expected, but if I try to use CanvasGameContainer instead (I want a resizable window and Slick uses an old version of LWJGL that doesn't support this directly) it throws this error: Fri Jun 01 10:22:07 MDT 2012 INFO:Slick Build #274 Error: Your application used more stack memory than the safety cap of 2048K. Specify -J-Xss####k to increase it (#### = cap size in KB). Specify -w for full StackOverflowError stack trace I've tried increasing the heap size until my computer can't allocate any more memory, but to no avail. The CanvasGameContainer uses an awt window to display, which is resizable. Any ideas on why this is happening and/or how to fix this?

    Read the article

  • Best way to deal with session handling in Zend Framework

    - by JACK IN THE CRACK
    So I'm starting up in Zend framework and looking to implement a site-wide "User" session.... something I can easily access from ALL modules/controllers in the application. I'm like, should I make a new namespace in the library and extend the controller, like: MyLib_Controller_Action extends Zend_Controller_Action { protected $_userSession; function preDispatch(Zend_Controller_Request_Abstract $req) { $this->_userSession = new Zend_Session_Namespace('user'); } } ANd then have all my controllers/modules/etc extend from that? Or should I create a Plugin or what? How would you go about making this plugin to pass the user session to the controller? Or do I do it in the bootstrap?? Again how to pass to controller? Also should I use Zend_Session_Namespace or Zend_Http_Cookie and also how do I encrypt and xss clean the cookie or is that did automagically?

    Read the article

  • Markup filter wanted for a public website

    - by sibidiba
    Developing a community site where everyone can post text, I'm looking for a markup filter: What is not part of the markup must be escaped (htmlspecialchars()) as it is. Should turn URL-s automatically into links Should support some form of basic markups (bold, image, url, pre, list) Should have a simple parser, that turns user input text into HTML Content on the site is public to everyone, XSS must not allowed to happen. What do you suggest? What markup language in the first place? BBCode? Wiki? Markdown? Are there any complete API-s with good examples? PHP is available on the server side. If there is a WYSIWYG-like texarea in addition (like here on SO) that would be a fantastic bonus!

    Read the article

  • ASP.NET MVC Alter Markup before Output

    - by youwhut
    Hi, Excuse my limited knoweldge here. In the past I have used Steve Sanderson's method to HTML encode by default at runtime: http://blog.stevensanderson.com/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/ I have a need to alter img src and a href attributes before they are spat out in the user's browser. There is a solution using JavaScript but this is not ideal for several reasons. Intercepting the compiler is not an option because of unnecessarily using Response.Write for trivial HTML. Is there something I can do with HTTP modules or the view engine? Any thoughts? Cheers.

    Read the article

  • Remove HTTP headers from a raw response

    - by Ed
    Let's say we make a request to a URL and get back the raw response, like this: HTTP/1.1 200 OK Date: Wed, 28 Apr 2010 14:39:13 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Set-Cookie: PREF=ID=e2bca72563dfffcc:TM=1272465553:LM=1272465553:S=ZN2zv8oxlFPT1BJG; expires=Fri, 27-Apr-2012 14:39:13 GMT; path=/; domain=.google.co.uk Server: gws X-XSS-Protection: 1; mode=block Connection: close <!doctype html><html><head>...</head><body>...</body></html> What would be the best way to remove the HTTP headers from the response in C#? With regexes? Parsing it into some kind of HTTPResponse object and using only the body? EDIT: I'm using SOCKS to make the request, that's why I get the raw response.

    Read the article

  • What's my best bet for replacing plain text links with anchor tags in a string? .NET

    - by Craig Bovis
    What is my best option for converting plain text links within a string into anchor tags? Say for example I have "I went and searched on http://www.google.com/ today". I would want to change that to "I went and searched on http://www.google.com/ today". The method will need to be safe from any kind of XSS attack also since the strings are user generated. They will be safe before parsing so I just need to make sure that no vulnerabilities are introduced through parsing the URLs.

    Read the article

< Previous Page | 3 4 5 6 7 8 9 10  | Next Page >