Preventing Cross Site Scripting

Jul 20, 2005

I need to html encode all text field values on the client just before
sending them to the server. A javascript equilalent of Server.HTMLEncode in
IIS. I also need to be able to perform the reverse.

All I am trying to do is ensure that if a user enters html tags in the a
form, that the tags does not get parsed by the browser.

View 4 Replies


Library To Clean Input To Prevent Cross Site Scripting

Jun 19, 2007

We have a javascript that is vulnerable to XSS because the input to
the script is not being checked for strings such as "javascript",
"eval", "script" etc. I have seen some snippets of code here and
there on how to check the strings but I have not yet found a
comprehensive js library that will clean user input of all offending
characters. What complicates it is that phishers can encode characters
to bypass the usual amateurish attempts to clean strings of offending

Any js libraries or resources out there anywhere?

View 1 Replies View Related

Cross-frame Scripting And Localhost

Apr 24, 2006

Is it possible to run an HTML file from "localhost" and bypass the
various security checks in place for cross-frame scripting? For
example, on a 2-frame page loaded locally:

a) frame 1 includes a form that accepts the name of a web site
(example:, which a script or perhaps a "target" attribute
then loads into frame 2
b) frame 1 waits for frame 2 to load, then reads (for example)
top.frame2.document.images.length and displays the total in frame 1

I realize that "localhost" is not going to match the domain appearing
in frame 2, but as I myself am running the script, logically, where is
the harm?

I haven't done much testing with this yet, but am planning an
application around this concept and am hoping I can make it work. Any

View 4 Replies View Related

Document.domain Issues And Cross Server Scripting

Jul 23, 2005

I'm working on a project at the office that pulls together a bunch of
our websites into a portal thing and adds a better search engine. We're
also trying to accomadate newer browsers (Netscape 7.2, Firefox,
Safari) and are having some problems. The websites run on different
servers, all of which we control, so we are setting the document.domain
= ""; in some javascript on ever page. However, we're
having problems. We use popup windows for some things, and sometimes
these popups want to 'populate' the parent frame window with a new page
as a result of a user selection on the popup.

This works most of the
time, but not always. For instance, in Netscape 7.2 it just seems to
fail with an "access denied..." error in javascript. In Firefox and
Safari it opens a new window and populates that instead of populating
the original parent window. Can anyone point me at some definitive
information about the document.domain property and how to use it

View 1 Replies View Related

JQuery :: Cross Domain Scripting To Embed HTML?

Aug 30, 2009

I'm trying to set up a system similar to Google AdSense that allows other websites to display some HTML content from my site on theirs. I've looked at the show_ads.js file Google uses to display Ads but to be honest I've not found it easy to decipher. I've also read that using a <script> tag to load a JavaScript file from my site is simpler than trying to do do this with an AJAX request. it discusses returning JSON rather than HTML.

BTW I know I could use an iframe to achieve something similar but this won't give me the result I need because the content coming from my site will contain a link back to my site and I want the link to be registered as an inbound link to my site for SEO reasons.

View 1 Replies View Related

Cross-Frame Scripting, IFRAME And Https (access Denied)

Jul 23, 2005

I'm trying to dynamically set the height of my Iframe. my https: main page
is calling another https in an Iframe. But i get an access denied error
from my javascript trying to call the parent document.

Main https page
<IFRAME APPLICATION="yes" style="width:100%;" id="iframename"
frameborder="no" scrolling="no" SRC=""> html
function bodyheight() {
x = document.body.scrollHeight = x

View 1 Replies View Related

Ajax :: Throwing X-site Scripting Error

Mar 10, 2009

I'm not sure why my ajax is throwing a cross site scripting error. I have a php page that request a page not in my domain. I have another page where my ajax requests the php page, which is in my domain. Then the error is thrown. Since the php page is in my domain, why would the error be thrown?

View 3 Replies View Related

Cross Site Ajax In Prototype

Oct 19, 2007

Currently prototype does not support cross site ajax, such as dojo or jquery.
This is unfortunate, cause I am really used to prototype and would like to use this functionality.

What would be the best way for me to implement cross site ajax for prototype.

Note that I will still need the normal ajax functions as well, so a nice extend or something would be good.

View 1 Replies View Related

How To Show Cross-site Content?

Aug 28, 2006

I'm working on a function of my page that contant must be visible on another sites. Just like google ads, maps and so on..

The question is how do I create that portion of javascript that my friends can embed on their sites (without useing IFrame!)

View 2 Replies View Related

Cross Browser Dynamic Navigation For Site?

Mar 30, 2010

I am trying to find the simplest, most cross-browser friendly dynamic navigation for my site. I tried to use a CSS version (Suckerfish) and it worked ok but it destroyed the formatting I had. I would really like to implement this kind of dropdown on my main navigation so users don't have to click and wait for a page to load. If possible, I'd like very few lines of code. That's why the CSS option was good... there was very little javascript.

View 7 Replies View Related

AJAX/php - Plugin Cross Site Request

Aug 8, 2007

I've recently been working on a small AJAX/PHP plugin, its very easy to understand, you just call the page and it returns a quote from a database in html, something like

<strong>quote here.. <em>author name</em></strong>

And then you style it however you want, its good for semantics that way, you would typically wrap it in a div and update that div with the output each time from your ajax.

It all works fine, and you can see an example here @ click on the clock, and you will see the quote come up. disregard the other stuff in the box.

The idea i had for this was set up a large database of quotes with simple semantic output and let Ajax queries call that page, but i want to be able to call that page output from other servers, urls etc... I thought that would be fine, you just request the page with ajax on your site and it could return the response from my site...

But this does not work, you get a permission denied error in the Javascript, it obviously can't do this.

How do you write a PHP/AJAX plugin that can work from multiple sites, because i want to be able to let anyone make a request, its basically a resource for people who want to add quotes to their site without setting up their own database or writing their own php.

View 11 Replies View Related

Cross Browser, Cross Domain Iframe Resizing Script?

Jun 18, 2009

Is there any way to resize an iframe dynamically to the height of its content that works cross browser and works when the iframe content is on another domain than the main page (I have access to both pages, so code can be put in either) Also, it must resize when links in the iframe are clicked (ie when a new page within the iframe is loaded)

View 1 Replies View Related

JQuery :: Get A True Cross-fade, Not The Sorta Cross Fade Used By Default?

May 27, 2011

Simple question really. The cross fade option used by default with cycle is not a linear looks like it uses some kind of S curve because during the crossfade animation the background (meaning the area behind the images being cross-faded) becomes visible. Example screenshot taken mid-transition. The pink should never be visible behind the grey, but it is:


at the moment, which is leading to background visibility. Is there another fx option I should be using?

View 4 Replies View Related

VB Scripting

Nov 19, 2007

i am very new to VB and right now given a task to delete specific folder from the folder tree. i am able to delete the folder from the first sub folders. but i have to look in every folder for that specific name of folder and delete that.

that is i have a folder Z and want to delete folder x in the folder tree after z



so the task is to find all the folder with name x and delete them.

View 1 Replies View Related

<Div> Scripting

Mar 30, 2006

If I have a list inside a <div> is there anyway to add another. Example:

<div name=test>

Now later on if the user clicks a button can I add:
<ul>whatever the user typed in</ul> after "<ul>two</ul>" <-- note this is not php

View 4 Replies View Related

Scripting Mozilla

Jul 20, 2005

I've a personal application I would like to script, that would
bring up a particular web page (which happens to have a Flash application
on it), then every 15 minutes or so generate the equivalent of
clicking on a button (causing the application to retrieve and display
the latest info).

Anyone know of any articles or howtos on the web for writing such an
application? Code:

View 3 Replies View Related

Protect Myself From XSS Scripting?

Mar 9, 2010

If i use this to protect myself from XSS scripting, do you think that it will be enough? code...

View 2 Replies View Related

Gallery Scripting

Jun 27, 2007

I have another question... with the script I have for the gallery, its supposed to do this:

but the problem is, its showing up within the iframe and not out in the open so you can see the whole picture... anyway around that?

View 1 Replies View Related

Scripting Between HTML And SVG?

Mar 5, 2010

I'm working on a project using JQuery and Keith Woods' extension to provide SVG functionality. My final goal is to develop some kind of HMI/SCADA implementation. My intention is to have an svg graphic representing some kind of process and then change certain shapes parameters from scripting part.

I'm pretty new to Javascript, JQuery and so on. But I'm trying to make my way by reading a lot on internet. However I couldn't find a clue about my most recent issue.

Mi idea is to embed and svg file created before on Inkspace. This would be the skeleton of the process I want to represent. Then, from the html document where this svg file is embedded, I want to alter certain parameters of the shapes inside, for instance I want to change the colour of a particular rectangle.

So, I embed the file in the html document like this:


View 3 Replies View Related

Remote Scripting & XML

Feb 13, 2007

I am remote scripting using javascript to an XML gateway, the XML file I get back changes state i.e. either the car registration number exists (and it includes certain fields in the XML) or it doesn't exist (and it doesn't include certain fields).

When my code tries to display the result I am getting the 'object required' error because I am trying to access an xml element which doesn't exist.

For example this line would break if the plate didnt exist but work perfectly if it did:

var fuel = response.getElementsByTagName('Fuel')[0];

Is there anyway to stop it throwing an error if it doesn't exist and just set a regDoesntExist flag or something?

View 5 Replies View Related

Scripting Nested Svg Documents

Jul 23, 2005

I'm a greenhorn in SVG and javascripting but I'm learning by doing.
So, here my current problem question :

I have a svg document embedded in another svg document. I whant,
through functions in an external javascript file, manipulate objects
in either the child svg document or the parent document.
How do I get access to elements of the other document ?

Example : I have a document "A" containing X/Y - Axis and included
another svg document "B" with the graphs.

I whant now, as soon as the mouse cursor is over a graph in document
"B" the belonging lable which is located in the parent svg document
"A" to change color or size.

Or I whant the graph in "B" to start blinking as soon as the mouse is
over the lable in "A".

I don't know how cross document borders.

Can anyone give me a short exapmle to get me going?

View 3 Replies View Related

Meta Tag For Scripting Language

Jul 20, 2005

I have some doubts about this meta tag:
<META http-equiv="Content-Script-Type" content="text/javascript">

Do I really need to declare this meta tag in all my pages?

If I declare it, will I still need to create my scripts this way?
<script type='text/javascript'>

Is there any advantage/disadvantage when using it?

View 2 Replies View Related

DOM Scripting: Using A Value From A Select Field?

May 6, 2010

I am trying to use a value from the select field to replace text within a strong tage;


<strong id="selected_country">Country Will appear here</strong>

So far the script anounces the selected country using alert. Here is the scrupt so far:


function getCountry()
// Validate that the browser knows getElementById


View 2 Replies View Related

Get Adsense Data And Use It For Further Scripting

Nov 24, 2005

is it possible to have a script that waits until the Adense javascript is done selecting ads, and then uses that data to do something.

for instance, the script checks if "Laptop" exisits in the link text of an adsense ad, and then proceeds by downloading (XML-RCP?) a picture of a laptop from the server.

It's important that the code does not interfere with the adsense script itself because that violates their TOS, but is it possible to just "read" the data that it generates?

View 1 Replies View Related

Scripting Over Document Borders / Alert Box

Jul 23, 2005

I'm wondering about a very strange behaviour in a javascript: In my
web application, there are a few SVGs (Adobe SVGViewer 3.0) embedded
by OBJECT-tag in an HTML-File. By starting a (globally known)
JS-Function in the "Menu"-SVG, it creates a new SVG-Node-Tree and
appends it to a anchor-Node in an "Display"-SVG. This means, a
function called in one document creates SVG-Eelements in another
document. This works fine, if a simple JS-alert is included at the
beginning of the SVG-creation-process. If not, it doesn't work - no
SVG is created. IMHO, i can exclude a runtime error, for that i
analyzed it quite intensive. In my opinion, the problem could deal
with restrictions on scripting over document borders. Nevertheless, i
don't understand it. Does anybody have experience with that kind of
behaviour? Does an alert have such influence on something like a
"focus" on a document?

View 2 Replies View Related

Refer To An Event Without Using Inline Scripting?

Dec 7, 2011

I am trying to re-write a script that I found on w3schools. The script should check whether ALT key was pressed or not. My objective is not to use any inline scripts and to refer to the event within a function. My script is not working.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
<html xmlns="">[code].......

View 5 Replies View Related

Copyrights 2005-15, All rights reserved