Library To Clean Input To Prevent Cross Site Scripting
Jun 19, 2007
We have a javascript that is vulnerable to XSS because the input to
the script is not being checked for strings such as "javascript",
"eval", "script" etc. I have seen some snippets of code here and
there on how to check the strings but I have not yet found a
comprehensive js library that will clean user input of all offending
characters. What complicates it is that phishers can encode characters
to bypass the usual amateurish attempts to clean strings of offending
characters.
I need to html encode all text field values on the client just before sending them to the server. A javascript equilalent of Server.HTMLEncode in IIS. I also need to be able to perform the reverse.
All I am trying to do is ensure that if a user enters html tags in the a form, that the tags does not get parsed by the browser.
Is it possible to run an HTML file from "localhost" and bypass the various security checks in place for cross-frame scripting? For example, on a 2-frame page loaded locally:
a) frame 1 includes a form that accepts the name of a web site (example: www.foo.com), which a script or perhaps a "target" attribute then loads into frame 2 b) frame 1 waits for frame 2 to load, then reads (for example) top.frame2.document.images.length and displays the total in frame 1
I realize that "localhost" is not going to match the domain appearing in frame 2, but as I myself am running the script, logically, where is the harm?
I haven't done much testing with this yet, but am planning an application around this concept and am hoping I can make it work. Any pointers?
I'm working on a project at the office that pulls together a bunch of our websites into a portal thing and adds a better search engine. We're also trying to accomadate newer browsers (Netscape 7.2, Firefox, Safari) and are having some problems. The websites run on different servers, all of which we control, so we are setting the document.domain = "ourdomain.com"; in some javascript on ever page. However, we're having problems. We use popup windows for some things, and sometimes these popups want to 'populate' the parent frame window with a new page as a result of a user selection on the popup.
This works most of the time, but not always. For instance, in Netscape 7.2 it just seems to fail with an "access denied..." error in javascript. In Firefox and Safari it opens a new window and populates that instead of populating the original parent window. Can anyone point me at some definitive information about the document.domain property and how to use it effectively?
I'm trying to set up a system similar to Google AdSense that allows other websites to display some HTML content from my site on theirs. I've looked at the show_ads.js file Google uses to display Ads but to be honest I've not found it easy to decipher. I've also read that using a <script> tag to load a JavaScript file from my site is simpler than trying to do do this with an AJAX request. it discusses returning JSON rather than HTML.
BTW I know I could use an iframe to achieve something similar but this won't give me the result I need because the content coming from my site will contain a link back to my site and I want the link to be registered as an inbound link to my site for SEO reasons.
I'm trying to dynamically set the height of my Iframe. my https: main page is calling another https in an Iframe. But i get an access denied error from my javascript trying to call the parent document.
Main https page <IFRAME APPLICATION="yes" style="width:100%;" id="iframename" frameborder="no" scrolling="no" SRC="https://www.otherdomain.com">
otherdomain.com html ------------------------------------------------ <script> function bodyheight() { x = document.body.scrollHeight parent.document.all.iframename.style.height = x } </script>
I have created a payment system using Jquery. The problem I run into is when I move from http to https. I get the following error: Error: [Exception... "Access to restricted URI denied" code: "1012"
I'm not sure why my ajax is throwing a cross site scripting error. I have a php page that request a page not in my domain. I have another page where my ajax requests the php page, which is in my domain. Then the error is thrown. Since the php page is in my domain, why would the error be thrown?
I have a site and in that I don't want to users pressing tab key and also shift + tab key. So I need a small javascript code for preventing execution of tab key and Shift+Tab Keys.
Currently prototype does not support cross site ajax, such as dojo or jquery. This is unfortunate, cause I am really used to prototype and would like to use this functionality.
What would be the best way for me to implement cross site ajax for prototype.
Note that I will still need the normal ajax functions as well, so a nice extend or something would be good.
I would to know please if is it possible to block the loading of particular site by/via javascript. Having a web page with a flash content that contains a call to a particular site, I don't want to receive information from that site. does exists a javascript code that block that call to that site?
I am trying to find the simplest, most cross-browser friendly dynamic navigation for my site. I tried to use a CSS version (Suckerfish) and it worked ok but it destroyed the formatting I had. I would really like to implement this kind of dropdown on my main navigation so users don't have to click and wait for a page to load. If possible, I'd like very few lines of code. That's why the CSS option was good... there was very little javascript.
I've recently been working on a small AJAX/PHP plugin, its very easy to understand, you just call the page and it returns a quote from a database in html, something like
And then you style it however you want, its good for semantics that way, you would typically wrap it in a div and update that div with the output each time from your ajax.
It all works fine, and you can see an example here @ www.theshadownest.com.au click on the clock, and you will see the quote come up. disregard the other stuff in the box.
The idea i had for this was set up a large database of quotes with simple semantic output and let Ajax queries call that page, but i want to be able to call that page output from other servers, urls etc... I thought that would be fine, you just request the page with ajax on your site and it could return the response from my site...
But this does not work, you get a permission denied error in the Javascript, it obviously can't do this.
How do you write a PHP/AJAX plugin that can work from multiple sites, because i want to be able to let anyone make a request, its basically a resource for people who want to add quotes to their site without setting up their own database or writing their own php.
I am using GreaseMonkey to load jQuery 1.3.2 (there is a bug with the latest version of jquery and GM) and jQuery UI 1.8.0.I am using jQuery via GM to manipulate the GUI of a content management system. This CMS uses its own JS library to dynamically add stuff to the dom.
Question:How can I target a dom element that was added to the dom via this other JS lib?In other words, the CMS will add a div to the dom, and I am not sure how to tell jquery to wait for these elements to "be there" before applying the jquery goodness. Specifically, I would like to do this:
$(function() { $('#zen1227').resizable(); });
But "#zen1227" does not "appear" until later via this other JS library.
When you press the down key while in an input field the default behavior for some event creates a dropdown of the previously input text. What event creates that behavior and how do I stop it ?
For example, to prevent ANY type of default behavior when clicking ANY key, I thought this would work, but the dropdown still occurs. What am I doing wrong ?
In html file:<body > Search Text: <input type='text' id='searchtext' />
in javascript file: function blank(){ return false; } function registersearch(){
<script language = "Javascript"> function echeck(str) { var at="@" var dot="." var lat=str.indexOf(at) var lstr=str.length var ldot=str.indexOf(dot) if (str.indexOf(at)==-1){ alert("Invalid Email") return false } ..... The form submits even if no input is provided. The database get updated with blank values.
In my example the focus should only jump to textbox2 if you press the tab key and if ཇ' is in textbox1. That works fine.
However if you enter e.g. ཈' in textbox1 and click on 'Link', Mozilla shows the alert 'Wrong numer' but also jumps to 'www.google.com'. Opera and IE don't do that what's in my opinion the correct behavior. Code:
I've created a form using datepicker to choose the birthdate, now I'm trying to control what's in my inputs, but I have issues when it comes to the input of my datepicker
When I have focus on my input I diplay a message to guide the user, when the event blur happens I check if the input contains a valide date and display an alert when it's wrong, but the blur is launched even when the user clicks on the calendar of datepicker, so the alert message is displayed which isn't supposed to happen
I'm looking for a way to wait for the user to select a date before executing the blur, or at the blur event check if the calendar is open or closed before doing any control
Lots on the web about this, but finding it difficult to piece everything together.I have a simple (jquery) RTE I've built using usual tools (IFRAME with execcommand functions).I want to be able to strip all html tags from anything copied and pasted into the iframe (specifically to remove the residual junk from MS word).I have this to capture the paste event (which works)
MY question is this: How do I target the pasted copy (only) and strip out the tags?I was previously doing this with PHP on submitting the page, but can't do that as I obviously want to keep the valid html tags added by the RTE itself - I changed the PHP to just remove <span> tags - but this is no good as some browsers write execcommand(bold) as <span class="bold">text</span>.
Basically I have this grab from a myspace profile to import a band's upcoming show listings on another website. The problem is that myspace puts all this information into a table, and in order to style the elements individually, I need a way to grab all the text from each cell and put them into their own divs. I don't want any table or tbody or tr or td references or anything, just the content from the cells placed in their own divs so I that I can style this individually.
If you could come up with a way to move all information from inside a cell into an array, that would also work. code...
I am working on a page currently:my test page. As you will see, i have a jcarousel slideshow loading on the right side of the homepage. You may also see that when the site loads, you can see the images in the UL list loading before they turn into the carousel. How can I hide this/clean this up?
I am finishing up creating a fairly complex page that is very rich in DHTML. In addition to updating it self every couple of seconds, various components on it support sync and async communication with various web services.
The problem is that if a user tries to click on any JS driven content before the page is fully loaded, it will not work properly since it relies on many onLoad scripts that initiate webservices etc.
is there a clean way, to simply disable any page functionality before it loads ?
other than explicitly enabling every control in window.onload() event.
Is there any way to resize an iframe dynamically to the height of its content that works cross browser and works when the iframe content is on another domain than the main page (I have access to both pages, so code can be put in either) Also, it must resize when links in the iframe are clicked (ie when a new page within the iframe is loaded)