I'm testing an web application against xss attack. In that there are list of events and each one has comment area, in one of the event, i inserted this script,
<script src=”http://www.example.com/malicious.js”></script >
The event showed a flag, that there is a comment, but it is not getting displayed. The problem here is whenever i click on that event, the app crashes, and the browser gives "Recover page".
But in Chrome, it is accepting that script, displays it as empty comment(" "), and its not getting crashed why?
I reset the browser settings in IE, but the same issue appears.
So is that due to Chrome not processing the virus(not sure), or IE processes it?
And i tried this script,
<script >alert("Hello");</script >
Both browsers acts in a same ways without crashing.
So can you please give me an idea of whats happening in it?
You appear to be using some non-standard quotation marks. Try replacing with this:
<script src="http://www.example.com/malicious.js"></script>
Related
I have finally got Turbolinks to work fine and dandy and handle all of the requests going through my application (PJAX). However, the main issue that arises is the fact that the "back/previous" button is broken.
The normal page request when normally navigating through a turbolink should be as follows:
Normal Network activity
However, when pressing on the "previous" button all hell gets loose as follows:
When clicking the previous button in the browser
The page named "11" should load one time only. However, it loads multiple times for some reason.
I know turbolinks is famous with the Rails framework so any answers are welcome. Also, I'm inexperienced with how caching works with Turbolinks, so if this is a cache issue please refer me on how to mitigate it.
To be more specific, my issue is with the Restoration Visits only. And I tried to put the following element in my base.html template but with no success.
<meta name="turbolinks-cache-control" content="no-cache">
I have a django-bootstrap project in which an html page has a dynamically generated table with data-toggle popovers on td elements. in firefox, opera and edge everything works perfectly fine and the popover show up, but in chrome they just don't. however when I copy paste the same code in a new blank html test page unrelated to the project it works (minus a few css issues for the rest of the page).
am really out of my wits end trying to understand the behavior I tried:
emptying cache and hard reload multiple time no success
forcing the state to trigger popover no success
no errors/warnings showing up in console
restart server and dev machine no success
clear a week's worth of cache and browser history
check if there is a chrome extension blocking it. (none am aware of since the test page is working fine)
made sure my jquery bootstrap 4 cdn's are up to date
I really have no clue what to turn to to find the source of the behavior. what steps do you do you guys go through if an element is randomly not showing on your page or you going through unexpected behaviors
I am creating a web app using Django 1.6. I have a question about the "time-out" issue of Django.
I created a template with javascript and css in it for visual effects. Occasionally, I found my visual effect supported by javascript and css to be messed up (e.g. the <div> element should resized according to screen, but it just did not resize). I checked the source of the page and found that the bottom part of my html file was not there (some line in the <script> was cut abruptly at the bottom of my page). I think that is the reason on why the visual effect sometimes cannot be seen.
I am using Cloud9 for developing my app. I wonder whether it is Cloud9 or Django itself causing the interrupted transmission of HTML file?
This sounds like a content-length issue. It's possibly a bug in Cloud9. If so, contact support#c9.io. You can verify the content-length header in the network tab of your browser. You can verify there whether it matches up to the content sent.
We have a Windows server running ColdFusion 8. When I load a CF page from that server in a browser, the page content is displayed almost immediately, but the connection does not close. The browser's "page loading" icon keeps spinning for another ten seconds.
I did a test where I created two files: test.cfm and test.html and loaded them side by side on the server. Each file contains only a single line of text: "This is a test." When I load each page in a browser, both pages display the text immediately, but only the CF page keeps "loading" for another ten seconds.
This behavior is making our AJAX-driven pages unusable. What is causing this behavior, and how I can fix it?
There must be some code in there trying to do something. And it may not be in the page itself, it could be in an include or the application file.
That type of spinning cursor behaviour sounds like some sort of ajax call failing after the initial page load.
One thing that would help is to turn on ColdFusion debugging and post the results here.
ColdFusion and Ajax, out of the box work very well together, and ColdFusion has an almost insanely simple page debugging tool that make it extremely easy to see the execution path of the CFM file and where the page is spending its time.
Have you restarted the CF service? If there are already hung requests or other problems then that will likely be the only way to resolve.
I'm new to ColdFusion, have a very basic problem that's really slowing me down.
I'm making edits in a text editor and refreshing the page in web browsers for testing. Standard web dev stuff, no browser-sniffing, redirection, or other weirdness, and no proxies involved.
When I refresh the page in Chrome or Firefox, everything works fine, but when I refresh in IE7, I get a blank page. View Source shows me:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=utf-8"></HEAD>
<BODY></BODY></HTML>
That's it. While I am rendering to the transitional DTD, the real head contains a title, etc.
My development server is CF 9, production is 8. This problem has been happening in both. Seems it may only be happening on pages that are the the result of a POST action.
I've never experienced this in ASP.NET (my usual development environment) using the same browsers.
If I remember correctly, IE does not re-post forms on refresh by default. It's been a few years since I used it for more than testing. However, I also recall it giving a message like "this page has expired" or something similar, so this may not be the issue you are experiencing.
I assume you're using IIS - If so, just to make sure that you get a fresh version of the page every time, set the content expiration (under HTTP headers in the site configuration) to "immediately"
Also, clear your IE cache and cookies... And, in CF admin, un-tick the "Enable HTTP status codes" option in the main setting page.