is this a xss attack,why it is invalid? - xss

To test a xss attack,i have the following code :
<html>
<head><title>test xss</title></head>
<body>
<input type="text" id="my_user_name_show" value="">
<script>
var s = '"/><script>alert(\'xss\');</script><br class="';
document.getElementById('my_user_name_show').value= s;
</script>
</body>
</html>
why can't the code trigger the alert(xss)?

XSS attacks against input form values have to be triggered from the backend when the actual HTML is changed, thus causing
<input type="text" id="my_user_name_show" value=""/>
<script>alert('xss');</script>
<br class="">
to be written, which obviously will cause it to trigger an alert. On the other hand your code will simply cause
<input type="text" id="my_user_name_show" value="\"/><script>alert('xss');</script><br class=\"">
to be placed inside the DOM, thus not causing any alert, because no script element is added to the DOM.

Related

Jinja templating not working in script.js

I need to include jinja templating in element.innerHTML but jinja is not working.
Code script.js:
contentDiv.innerHTML = getContent(fragmentId);
function getContent(fragmentId) {
var pages = {
quad1: `
<form class="form-inline" method="POST" id="form1">
<h3>
<input type="number" id="quad_a1" name="input_a" class="form-control mx-2 col-1" placeholder="a">
<b>x² +</b>
<input type="number" id="quad_b1" name="input_b" class="form-control mx-2 col-1" placeholder="b">
<b>x +</b>
<input type="number" name="input_c" class="form-control mx-2 col-1" placeholder="c">
<b>=</b>
<input type="number" name="input_d" class="form-control mx-2 col-2" placeholder="Default(0)">
<button type="submit" class="btn btn-primary float-right mr-5" onclick="return empty_quad()">Solve</button>
</h3>
</form>
{{ sol }}
`,
.
.
.
};
return pages[fragmentId];
}
But the output is literally {{ sol }}, not the value of sol:
So how to access the variable sol passed through flask's render_template() in script.js?
You can't use jinja2 template in your js file.
First method: You have to use inline javascript in html file using <script></script> tag, and then you can access the sol variable by assigning it to javascript variable
<script> sol = "{{sol}}" </script> // {{sol}} should be between quotation marks
Second method: If you have seperate js file. you can make a div tag, define it's class and set it's id to {{sol}}. get the element by class name and then get it's id.
Html
<div class="myclass" id="{{sol}}" style="display:none"></div>
javascript
elem= document.getElementsByClassName("myclass") ;
console.log(elem.id) // this is the sol value.
json_script
Safely outputs a Python object as JSON, wrapped in a <script> tag, ready for use with JavaScript.
Argument: HTML “id” of the <script> tag.
For example:
{{ value|json_script:"hello-data" }}
If value is the dictionary {'hello': 'world'}, the output will be:
<script id="hello-data" type="application/json">{"hello": "world"}</script>
The resulting data can be accessed in JavaScript like this:
const value = JSON.parse(document.getElementById('hello-data').textContent);
XSS attacks are mitigated by escaping the characters “<”, “>” and “&”. For example if value is {'hello': 'world</script>&'}, the output is:
<script id="hello-data" type="application/json">{"hello": "world\\u003C/script\\u003E\\u0026amp;"}</script>
This is compatible with a strict Content Security Policy that prohibits in-page script execution. It also maintains a clean separation between passive data and executable code.
django doc

Getting response from python to browser (CGI python)

I am trying to get(reflect) corresponding radio button as soon as I choose the option from dropdown menu.
I am unable to get the answer, I am new to python. could you guys please help , below is my code :
HTML CODE:
<!DOCTYPE html>
<html>
<head>
<title>
Program
</title>
</head
<body>
<h3>
first program :)
</h3>
<form action="/cgi-bin/mds/dropdown.py" method="post">
<br>
<select name="dropdown" >
<option value="MCR" selected> MCR </option>
<option value="OCS" > OCS </option>
</select>
<input type="radio" name="file" value="raw"> raw <br />
<input type="radio" name="file" value="std" /> std <br/>
<input type="submit" value="Submit" />
</form>
</body>
</html>
My expectation when I select any of the OCS/MCR dropdown, the radio button should dynamically generate with raw/std name.
dropdown.py file code:
#!/usr/bin/python
import cgi
import cgitb
form = cgi.FieldStorage()
if form.getvalue('dropdown'):
menu = form.getvalue('dropdown')
else :
menu = "not entered"
print("Content-type:text/html\r\n\r\n")
print("<html>")
print("<head>")
print("<title>Hello - Second CGI Program</title>")
print("</head>")
print("<body>")
print("<h2> %s </h2>" % (menu))
print("</body>")
print("</html>")
If i well understand you need to do that using ajax (jquery) in your html file, it sends request asynchronously to your python file that handles it as what you clicked on.
maybe this link helps you
jQuery get value of select onChange

Django and Salesforce Web to Lead

We have website developers redesigning the whole site in Django, and these are questions from our website developers I don't have any real knowledge of how to answer, so I thought someone here might be able to help.
We ran into a few problems with the web to lead and having it map to Salesforce which I HOPE we resolved.
Here's the code snippet:
<!-- ---------------------------------------------------------------------- -->
<!-- NOTE: Please add the following <META> element to your page <HEAD>. -->
<!-- If necessary, please modify the charset parameter to specify the -->
<!-- character set of your HTML page. -->
<!-- ---------------------------------------------------------------------- -->
<META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=UTF-8">
<!-- ---------------------------------------------------------------------- -->
<!-- NOTE: Please add the following <FORM> element to your page. -->
<!-- ---------------------------------------------------------------------- -->
<form action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" method="POST">
<input type=hidden name="oid" value="SFDCidhere">
<input type=hidden name="retURL" value="http://">
<!-- ---------------------------------------------------------------------- -->
<!-- NOTE: These fields are optional debugging elements. Please uncomment -->
<!-- these lines if you wish to test in debug mode. -->
<!-- <input type="hidden" name="debug" value=1> -->
<!-- <input type="hidden" name="debugEmail" -->
<!-- value="emailaddresshere"> -->
<!-- ---------------------------------------------------------------------- -->
<label for="first_name">First Name</label><input id="first_name" maxlength="40" name="first_name" size="20" type="text" /><br>
<label for="last_name">Last Name</label><input id="last_name" maxlength="80" name="last_name" size="20" type="text" /><br>
<label for="email">Email</label><input id="email" maxlength="80" name="email" size="20" type="text" /><br>
<label for="company">Company</label><input id="company" maxlength="40" name="company" size="20" type="text" /><br>
<label for="phone">Phone</label><input id="phone" maxlength="40" name="phone" size="20" type="text" /><br>
Subject:<textarea id="00N1600000EgFuw" name="00N1600000EgFuw" rows="3" type="text" wrap="soft"></textarea><br>
Contact me:<input id="00N1600000EvgRY" name="00N1600000EvgRY" type="checkbox" value="1" /><br>
newsletter:<input id="00N1600000EvgRd" name="00N1600000EvgRd" type="checkbox" value="1" /><br>
<input type="submit" name="submit">
</form>
That's what the web-to-lead from SFDC generates, and seems to work now.
However they have 2 questions I am not certain about and would love assistance with:
1) The specs for the new site require that the return page be the one the form was sent from (I.e., no redirection; we’re intending to do the equivalent of a “thanks” page as a pop-up onClick() — how is that accomplished through the API? I’d EXPECT that sending an empty retURL value should do it, but we just get back a blank page with a salesforce.com URL;
2) is it possible to customize the “name” parameter for the two checkbox fields (if not then we have to hack the entire form in the Django template without making it possible for Django to render the form natively since you can’t have a model form field name start with a digit…). This isn’t THAT problematic, but I’d like to know for future reference.
If anyone has any insight, I'd love to hear it and pass it along to them!
Many thanks.
Not sure your solution.
The common way that you could using the Partner WSDL or Enterprise WSDL to insert,update,upsert ,delete your data
Parnter WSDL:
not custom from your salesforce org, but it could be common way to get your data.
In python your could use this package
https://pypi.python.org/pypi/pyforce/1.4
And reference by this
https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_partner.htm
Enterprise WSDL will show your salesforce org status (including field and object) . But one your objects or fields are changing that it might be error.
So i suggest using api to control the redirect function and the action.
My solution is as follows in an example
from captcha.fields import ReCaptchaField
from django.conf import settings
def set_field_html_name(cls, new_name):
"""
This creates wrapper around the normal widget rendering,
allowing for a custom field name (new_name).
"""
old_render = cls.widget.render
def _widget_render_wrapper(name, value, attrs=None):
return old_render(new_name, value, attrs)
cls.widget.render = _widget_render_wrapper
class WebToLeadForm(forms.Form):
# <keep all fields here>
# example field below
referred_by = forms.CharField(label="Referred By", required=False)
# The reCAPTCHA in this form uses keys from settings.
captcha = ReCaptchaField()
set_field_html_name(referred_by, settings.SF_REFERRED_BY)
settings.py
SF_REFERRED_BY = '00xxxxxxxxxxxx'

How to get use ng-pattern

I have a simple text input in which I only want to allow floats and ints (watch out: jade)
input.form-control(type="text", ng-model='usd', ng-pattern="nums",ng-change='convert_to_btc()', placeholder="USD")
However it doesn't work, I can always insert any character in the input (do I need to do more in order to display something? e.g. a red border if it's incorrrect? or should then just those characters not even be able to be entered?)
The pattern is a regex and thus not a string, so that should be fine???
Here's the controller:
app.controller("AppCtrl", function AppCtrl($scope, $http, $interval ) {
//lots of other stuff
$scope.nums = /^\-?\d+((\.|\,)\d+)?$/; //note no string, it's a regex
}
This is the generated HTML. Could this be the problem? The generated HTML actually has a string, not a regex!?
<input type="text" ng-model="usd" ng-pattern="/^\-?\d+((\.|\,)\d+)?$/" ng-change="convert_to_btc()" placeholder="USD" class="form-control ng-dirty ng-valid-parse ng-touched ng-invalid ng-invalid-pattern">
I hope this is what you are trying to do.
Please have a look at the below link
http://plnkr.co/edit/BGzLbQHy0ZtHYmom8xA3
<!DOCTYPE html>
<html ng-app="">
<head>
<script data-require="angular.js#1.3.x" src="https://code.angularjs.org/1.3.13/angular.js" data-semver="1.3.13">
</script>
<style>
.ng-invalid-pattern {
border:1px solid #f00;
}
</style>
</head>
<body>
<p>Hello</p>
<form name='myform'>
<input type="text" name='ip' ng-model="usd" ng-pattern="/^\-?\d+((\.|\,)\d+)?$/"
ng-change="convert_to_btc()" placeholder="USD"/>
<p ng-show='myform.ip.$invalid'>Error</p>
</form>
</body>
</html>
If you are trying to block the user from being able to enter character/letters and only allowing them to enter numbers into the input, then change the <input type="text" to <input type="number"
Here's a link to the Angular Doc page on inputs that should only allow numbers: input[number]

Use form information in external POST request

I've built a simple form to open up a JIRA ticket based on user input. I've almost got all of it, except I don't know how to use the form element in the POST request. Here's what I have so far:
<form target="_blank" action='http://baseurl.com/secure/CreateIssueDetails!init.jspa?pid=10517&issuetype=3&summary=Change+application+name+to+{{new_name}}&reporter={{request.user}}&priority=5&assignee=xxx' method='post'>
<label for="new_name">New name: </label>
<input id="new_name" type="text" name="new_name" value="{{item.name}}">
<input type="submit" value="Create JIRA ticket">
</form>
So I just need the value the user puts in the new_name element to be passed into the appropriate spot in the URL. How do I access that?
It sounds like you're getting POST and GET mixed. POST data would not be included in the URL itself, but rather in the request payload itself.
So, your URL would be http://baseurl.com/secure/CreateIssueDetails!init.jspa
The payload would be separately put in the body of the HTTP request.
If you need to use a GET method, the URL itself would be the same as above, but the URL that eventually gets hit would be http://baseurl.com/secure/CreateIssueDetails!init.jspa?new_name=WHATEVERVALUE.
If you need additional key-value pairs to get passed, just add them as hidden fields and pass them that way.
Your code, edited:
<form target="_blank" action='http://baseurl.com/secure/CreateIssueDetails!init.jspa' method='post'> <!-- ARE YOU SURE IT'S A POST REQUEST AND NOT A GET? -->
<label for="new_name">New name: </label>
<input id="new_name" type="text" name="new_name" value="{{item.name}}">
<input type="hidden" value="10517" name="pid">
<input type="hidden" value="3" name="issuetype">
<input type="hidden" value="5" name="priority">
<input type="hidden" value="Change application name to {{new_name}}" name="summary">
<input type="hidden" value="{{request.user}}" name="reporter">
<input type="hidden" value="xxx" name="assignee">
<input type="submit" value="Create JIRA ticket">
</form>
Makes sense?