Cross Site Scripting Array Multiple Results - xss

Hello lovely people of StackOverflow,
I built an application to store movies, so i can search for them at a later time. All is working but i'm trying to prevent XSS, I've looked at W3School htmlspecialchars, but the problem i'm running into is that i'm returning multiple fields results such a s"keywords" " category" "Date Saved" "Website".
I can prevent XSS on only one field but then the rest of the fields don't return any data.
Here is the code that echo's the data from the database:
echo "<tr align='center' bgcolor='#0f7ea3'>
<td height='25px'>"
.$results['Website']."</td>
<td>".$results['Keywords']."</td>
<td>".$results['Category']."</td>
<td>".$results['Date Saved']."</td>
<td> <a href='" . $results['Website'] . "'>Click To Access Your Link</a></td>
</tr>" ;
Hopefully I've explained my issue correctly.
Thanks

This is an update to the suggestion provided by "nobody"
The code provided was accurate except with the "." placement. Other than that, the code worked perfect.
Suggested:
<td>"htmlspecialchars(.$results['Date Saved'], ENT_QUOTES)."</td>
Correct Code:
<td>".htmlspecialchars($results['Date Saved'], ENT_QUOTES)."</td>
Complete Working Code:
echo "<tr align='center' bgcolor='#0f7ea3'>
<td height='25px'>"
.htmlspecialchars($results['Website'], ENT_QUOTES)."</td>
<td>".htmlspecialchars($results['Keywords'], ENT_QUOTES)."</td>
<td>".htmlspecialchars($results['Category'], ENT_QUOTES)."</td>
<td>".htmlspecialchars($results['Date Saved'], ENT_QUOTES)."</td>
<td> <a href='" . htmlspecialchars($results['Website'], ENT_QUOTES) . "'>Click To Access Your Link</a></td>
</tr>" ;
Thank you so much.

I think I understand your question but I don't know why you could only escape one result.
You can do:
echo "<tr align='center' bgcolor='#0f7ea3'>
<td height='25px'>"
.htmlspecialchars($results['Website'], ENT_QUOTES)."</td>
<td>".htmlspecialchars($results['Keywords'], ENT_QUOTES)."</td>
<td>".htmlspecialchars($results['Category'], ENT_QUOTES)."</td>
<td>".htmlspecialchars(.$results['Date Saved'], ENT_QUOTES)."</td>
<td> <a href='" . htmlspecialchars($results['Website'], ENT_QUOTES) . "'>Click To Access Your Link</a></td>
</tr>" ;
This prevents XSS by injecting JavaScript into the echo. Also notice that I used the ENT_QUOTES flag in the htmlspecialchars function. This escapes both double and single quotes as they are not escaped by default.
However, your script is still vulnerable if you don't verify the URL that can be injected in the href tag ($results['Website']).
By setting "javascript:alert(123);" as your URL you can still execute JavaScript. You need to verify that the URL starts with http:// or https://.

Related

Issue with IF test on JSF xtml

sorry i tried a lot of others replies, but still i can't use it:
i want to check the value of a bean in order to print html code or not but all the time i have FALSE condition:
here the code:
<tbody>
<ui:repeat value="${wasJvmInvbean.listWasJvmInv()}" var="jvm">
<tr>
<td>${jvm.jvmStatus}</td>
<td>${jvm.cellName}</td>
<td>${jvm.serverBean.hostname}</td>
<td>${jvm.jvmName}</td>
<td>${jvm.type}</td>
<td>${jvm.profilePath}</td>
<td>${jvm.wasVersion}</td>
<c:if test="${jvm.jvmName eq 'dmgr'}">
<td>webconsole http://xxxx:8080</td>
</c:if>
<c:if test="${jvm.jvmName ne 'dmgr'}">
<td>N.A.</td>
</c:if>
<td>${jvm.fid}</td>
<td>${jvm.heapMin}</td>
<td>${jvm.heapMax}</td>
<td>${jvm.wcDefaultType}</td>
<td>${jvm.wcHost}</td>
<td>${jvm.wcPort}</td>
</tr>
</ui:repeat>
FIXED following this as example … new code is
<h:outputLink value = "https://${jvm.serverBean.hostname}:${jvm.wcPort}/ibm/console" rendered="#{jvm.type eq 'DEPLOYMENT_MANAGER'}" target="_blank" >sffsd</h:outputLink>

Regex in google link params

I do not have experience with regex code.
I want take from following text
http://news.google.com/news/url?sa=t&fd=R&ct2=it&usg=AFQjCNG4x7juUilTtEDL5ae1ecsNh7E-yQ&clid=c3a7d30bb8a4878e06b80cf16b898331&cid=52778905305151&ei=2_utVbj7MsHS1QaH3YHQBA&url=http://time.com/3964691/yoga-dogs-and-cats/ tag:news.google.com,2005:cluster=http://time.com/3964691/yoga-dogs-and-cats/ Mon, 20 Jul 2015 17:44:50 GMT <table border="0" cellpadding="2" cellspacing="7" style="vertical-align:top;"><tr><td width="80" align="center" valign="top"><font style="font-size:85%;font-family:arial,sans-serif"><img src="//t0.gstatic.com/images?q=tbn:ANd9GcSPm8SUGKyWdqCih-LdFBEVfcJI2B86tVNolZJLoeWesaK1Jss7lbJsPKhaqLe8Pap7kYdL2Xw" alt="" border="1" width="80" height="80"><br><font size="-2">TIME</font></font></td><td valign="top" class="j"><font style="font-size:85%;font-family:arial,sans-serif"><br><div style="padding-top:0.8em;"><img alt="" height="1" width="1"></div><div class="lh"><b>Watch <b>cats</b> and dogs interrupt yoga routines - Time</b><br><font size="-1"><b><font color="#6f6f6f">TIME</font></b></font><br><font size="-1">The compilation above shows many a yoga routine getting interrupted. And it really never gets old watching a dog rush to the aid of his owner trapped in a headstand or for a a pet to think pigeon pose is an invitation for kisses. There's also the <b>cat</b> <b>...</b></font><br><font size="-1"><b>Cats</b> And Dogs Interrupting Yoga - Huffington Post UK<font size="-1" color="#6f6f6f"><nobr>Huffington Post UK</nobr></font></font><br><font size="-1" class="p"></font><br><font class="p" size="-1"><a class="p" href="http://news.google.com/news/story?ncl=dtJjhOioeLRtSJMzD7u9ebMAVfF0M&ned=it&hl=en"><nobr><b>tutte le notizie (3) »</b></nobr></a></font></div></font></td></tr></table>
the following string present in the text above
http://time.com/3964691/yoga-dogs-and-cats/
You can get this text using
(?<=url=)http[^\s"]+
See demo
Note that your (?<=url=).+?(?= ) regex matches more than the URL you need to extract:
Try this:
(?<=url=).+?(?= )
Play around with it here: https://regex101.com/r/pO4cT3/1

XSS remediation - Improper Neutralization of Script-Related HTML Tags

I'm trying to fix some XSS errors with my code. #getEmailRecord is the line that contains the problem. How do I fix a piece of code like this? The error: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS). Veracode cleansing solution: coldfusion.runtime.CFPage.HTMLEditFormat
tr>
<td> </td>
<td class="left"><b>To: </b></td>
<td class="left">#getEmailRecord.EMAIL_TO#</td></tr>
<tr><td colspan="4"> </td></tr>
Thanks! This is my first time doing something like this so any help is much appreciated.
Veracode cleansing solution: coldfusion.runtime.CFPage.HTMLEditFormat The recommended solution tells you what to do. Wrap any variables which contain user supplied data that you utilize in your code in #HTMLEditFormat()#.
<td class="left">#HTMLEditFormat(getEmailRecord.EMAIL_TO)#</td></tr>
HTMLEditFormat
Description
Replaces special characters in a string with their HTML-escaped equivalents.
Add if you are on ColdFusion 10 or newer you have even more options - EncodeFor Functions

How to make a plone view that inserts other smaller views of content items?

I think this should be simple. I have a folderish TTW dexterity content item (a drop box) that contains folderish TTW dexterity items (proposals). Each proposal contains TTW dexterity reviews that have fields I want to summarize.
I can easily make a view that generates a table as indicated below for any proposal with simple modifications to the folderlisting view:
[review1 link] [criterion_1 value] [criterion-2 value]...
[review2 link] [criterion_1 value] [criterion-2 value]...
.
.
I can also generate a working table view for a drop box by modifying the folderlisting view:
[proposal1 link] [column I would like to insert the above table in for this proposal]
[proposal2 link] [column I would like to insert the above table in for this proposal]
.
.
My problem is I cannot figure out how to insert the first table into the cells in the second column of the second table. I've tried two things:
Within the view template for the dropbox listing, I tried duplicating the repeat macro of the listingmacro, giving it and all its variables new names to have it iterate on each proposal. This easily accesses all of the Dublin core schemata for each review, but I cannot get access to the dexterity fields. Everything I have tried (things that work when generating the first table) yield LocationError and AttributeError warnings. Somehow when I go down one level I lose some of the information necessary for the view template to find everything. Any suggestions?
I've also tried accessing the listing macro for the proposal, with calls like <metal use-macro="item/first_table_template_name/listing"/>. Is this even partially the right approach? It gives no errors, but also does not insert anything into my page.
Thanks.
This solution is loosely based on the examples provided by kuel: https://github.com/plone/Products.CMFPlone/blob/854be6e30d1905a7bb0f20c66fbc1ba1f628eb1b/Products/CMFPlone/skins/plone_content/folder_full_view.pt and https://github.com/plone/Products.CMFPlone/blob/b94584e2b1231c44aa34dc2beb1ed9b0c9b9e5da/Products/CMFPlone/skins/plone_content/folder_full_view_item.pt. --Thank you.
The way I found easiest to create and debug this was:
Create a minimalist template from the plone standard template folder_listing.pt which makes just the table of summarized review data for a single proposal. The template is just for a table, no header info or any other slots. This is a stripped version, but there is nothing above the first statement. A key statement that allowed access to the fields were of the form:
python: item.getObject().restrictedTraverse('criterion_1')
The table template:
<table class="review_summary listing">
<tbody><tr class="column_labels"><th>Review</th><th>Scholarly Merit</th><th>Benefits to Student</th><th>Clarity</th><th>Sum</th></tr>
<metal:listingmacro define-macro="listing">
<tal:foldercontents define="contentFilter contentFilter|request/contentFilter|nothing;
contentFilter python:contentFilter and dict(contentFilter) or {};
I kept all the standard definitions from the original template.
I have just removed them for brevity.
plone_view context/##plone;">
The following tal:sum is where I did some math on my data. If you are
not manipulating the data this would not be needed. Note that I am only
looking at the first character of the choice field.
<tal:sum define="c1_list python:[int(temp.getObject().restrictedTraverse('criterion_1')[0])
for temp in batch if temp.portal_type=='ug_small_grants_review'];
c1_length python: test(len(c1_list)<1,-1,len(c1_list));
c2_list python:[int(temp.getObject().restrictedTraverse('criterion_2')[0])
for temp in batch if temp.portal_type=='ug_small_grants_review'];
c2_length python: test(len(c2_list)<1,-1,len(c2_list));
c1_avg python: round(float(sum(c1_list))/c1_length,2);
c2_avg python: round(float(sum(c2_list))/c2_length,2);
avg_sum python: c1_avg+c2_avg;
">
<tal:listing condition="batch">
<dl metal:define-slot="entries">
<tal:entry tal:repeat="item batch" metal:define-macro="entries">
<tal:block tal:define="item_url item/getURL|item/absolute_url;
item_id item/getId|item/id;
Again, this is the standard define from the folder_listing.pt
but I've left out most of it to save space here.
item_samedate python: (item_end - item_start < 1) if item_type == 'Event' else False;">
<metal:block define-slot="entry"
The following condition is key if you can have things
other than reviews within a proposal. Make sure the
item_type is proper for your review/item.
tal:condition="python: item_type=='ug_small_grants_review'">
<tr class="review_entry"><td class="entry_info">
<dt metal:define-macro="listitem"
tal:attributes="class python:test(item_type == 'Event', 'vevent', '')">
I kept all the standard stuff from folder_listing.pt here.
</dt>
<dd tal:condition="item_description">
</dd>
</td>
The following tal:comp block is used to calculate values
across the rows because we do not know the index of the
item the way the batch is iterated.
<tal:comp define = "crit_1 python: item.getObject().restrictedTraverse('criterion_1')[0];
crit_2 python: item.getObject().restrictedTraverse('criterion_2')[0];
">
<td tal:content="structure crit_1"># here</td>
<td tal:content="structure crit_2"># here</td>
<td tal:content="structure python: int(crit_1)+int(crit_2)"># here</td>
</tal:comp>
</tr>
</metal:block>
</tal:block>
</tal:entry>
</dl>
<tr>
<th>Average</th>
<td tal:content="structure c1_avg"># here</td>
<td tal:content="structure c2_avg"># here</td>
<td tal:content="structure avg_sum"># here</td>
</tr>
</tal:listing>
</tal:sum>
<metal:empty metal:define-slot="no_items_in_listing">
<p class="discreet"
tal:condition="not: folderContents"
i18n:translate="description_no_items_in_folder">
There are currently no items in this folder.
</p>
</metal:empty>
</tal:foldercontents>
</metal:listingmacro>
</tbody></table>
Create another listing template that calls this one to fill the appropriate table cell. Again, I used a modification of the folder_listing.pt. Basically within the repeat block I put the following statement in the second column of the table:
This belongs right after the </dd> tag ending the normal item listing.
</td> <td class="review_summary">
<div tal:replace="structure python:item.getObject().ug_small_grant_review_summary_table()" />
</td>
Note that "ug_small_grant_review_summary_table" is the name I gave to the template shown in more detail above.

OSCommerce STS template flow-How to get output of a box in html file

I am trying to explore STS template system.
What i need to do is simple.
I just want to show a banner/box in the right column which is added from the OSC admin.
I have done the following steps:
added a banner from admin banner manager.
created a file in the includes/boxes directory under name customBanner.php
added this line in column_right.php include(DIR_WS_BOXES . 'customBanner.php');
And finally added the following code to customBanner.php
<?php
if ($banner = tep_banner_exists('dynamic', '170x158')) {
?>
<br>
<table border="0" width="100%" cellspacing="0" cellpadding="0">
<tr>
<td align="center"><?php echo tep_display_banner('static', $banner); ?></td>
</tr>
</table>
<?php
}
?>
This code is basically used for OSC without STS template.
Now i need to know how STS template giving output in php.html files e.g.<td>$specialbox</td>. I mean how this variable is getting value from the sts.
and how can i show advertisement box in the right column.
You should add to the includes/modules/sts_inc/sts_user_code.php teh following code:
$sts->start_capture();
include(DIR_WS_INCLUDES . 'boxes/customBanner.php');
$sts->stop_capture('specialbox');
It also posible to use your own file to add this code but you should include its name in the admin->modules-> Default -> Files for normal template
You could add as many boxes as you like in the same way:
$sts->start_capture();
include(DIR_WS_INCLUDES . 'boxes/customBanner.php');
$sts->stop_capture('box1');
$sts->start_capture();
include(DIR_WS_INCLUDES . 'boxes/OTHERcustomBanner.php');
$sts->stop_capture('box2');