how to avoid XSS attack using css x:expression? - xss

I'm getting an alert in the page if I pass the following query string value in the URL
&67251"style%3d"x%3aexpression(alert(1))"c5c8316d7db=1
ex.
http://mysite.aspx?val1=2&&67251"style%3d"x%3aexpression(alert(1))"c5c8316d7db=1
I'm using componentart postback controls in my page, so it creates hidden variables in the page like below.
then second hidden variable is causing the alert. How can I avoid this? or how can I capture it and remove it before writing it to page?

Sanitize your variable before you output it on your page.
Response.Write(HttpUtility.HtmlEncode(Request.QueryString["val1"]));

Related

How can I have the input stay even if it's reloading after the post request?

So, I've written a script where I've got an input tag inside the form tags.
And I'm using Flask (which is server-side) to get the input and to do some stuff with the input. But I just don't want that the input will go blank after reloading the page. Is there any way to have the input stay?

Jquery mobile- Multipage template validation

Am having 3 pages. On click of each page's next the page will be validating the current page for required field check, numeric check and move to next page.
My question is on final save on the 3rd page, can we validate all the 3 pages together as we do for each page.?
Yes, a multipage is no different to a single page from that point of view. If you are using a multipage, then all fields are visible from any of the virtual pages.
Update:
I don't know what you are using to do the validation. All I'm saying that that the multipage DOM is visible from all virtual pages, because you are actually just using one page. jQuery Mobile only shows a part of the bigger page as a virtual page, but you are still using one HTML DOM.
This is probably a hack, but if you have a multipage, then you can let your form span across more than one pages. So the page div's can actually go inside the form. Here I posted a example to show that you can access the elements across your multipage doc: https://stackoverflow.com/a/10686795/828757
Found the solution:
$.validator.setDefaults({
ignore: ""
});

Use a link as a form field without javascript

i'm almost done developing a search engine in django 1.3. I'm having some filters on the left side of my application.
What i want to do is display those filters as links (not as radiobuttons /selectbox /checkbox) and whenever a user clicks on one of those links, the form is resubmitted with that filter's value submitted (maybe grabbed by a TextInput widget)
Basically, something like the left side filtering in this example from Google, but without javascript (so even a "non js user" can use my website)
Is it possible? How? Or am i bound to javascripts for this purpose?
Thanks all in advance!
Why not simply use GET query parameters?
Imagine the following:
User searches for "bear", the URL becomes: /search/?q=bear
The query parameters are handled by your view (collect all images corresponding to the query parameters)
The query parameters are sent back to the template in a variable;
Each filter link has the query parameters attached to it together with its own specific parameters, so that the filter link for e.g. medium-sized images becomes /search/?q=bear&size=medium;
Upon clicking that filter link, your view will get a q and an size key in its request.GET dictionary;
Repeat ad infinitum (e.g. /search/?q=bear&size=medium&expression=smiling&color=b-w&activity=dancing).

drupal theming a view for Customfield: PHP code

I have a view called "contests_slider" with a block display. I'm hiding all fields and using a "Customfield: PHP code" field instead which calls a function called display_front_contests(). In that function, querying the database and building some html and returning it. I'm displaying the output in a block. The problem is Drupal is adding alot of extra divs that I don't want. I went to "Theme: Information" and copied the theme "views-view-field.tpl.php" to "views-view-field--contests-slider--block-1--phpcode.tpl.php" and put just: in it and it's still outputting all the extra html.
Any ideas? am I using the wrong template?
If you are only using views to create a block, but otherwise query the datebase, create the markup etc, you should consider making a block in a custom module. All the work is in the code you have already written. That way you wont have to think about the many templates that views uses, but instead you'll just use the block.tpl.php.
Take a look at hook_block for info on how to do it.

passing and getting variables to a cfwindow

I have a table within a form that has many identical rows. At the beginning of each row is a text field and a button that creates a <cfwindow> so that the user can browse an inventory and select a single item. Then I need that item's name and ID to get sent back to the main page and populate the text box.
The main page form works fine. The <cfwindow> works fine (search, display, etc..). I cannot figure out a way to get the variable being set in the <cfwindow> back to the main page and just populate the text field for that specific row and not redraw the entire page. I can't even get the <cfwindow> to access any variable on the main page and I thought that it was just a floating div and would have access to all of the main page variables that are set.
This is one row of the main page (the index is for looping through to create unique names for each row variables):
<cfinput type="button" value="Select" name="xSelect#i#" onClick="ColdFusion.Window.create(blah blah blah...)/>.
<cfinput type="text" name="x1s#i#xName" value="form.x1s#i#xName" size="30" disabled="true"/>
in the <cfwindow>, a query populates a list of items, each with a radio button. User needs to select one and it needs to return that item's ID back to the main page for that row:
I appreciate the feedback. Here's what I ended up doing:
- passed the variables to the cfwindow via url with a button and an onClick="ColdFusion.Window.create..."
- in the cfwindow, I used the url variables as a reference and I have a search dialogue that then sends the search results along with the url variable (via url variables) to a simple action page that just displays a form with the variables populated via an onclick="javascript:ColdFusion.navigate..."
- back in the main page I have a cfdiv that binds to the action page via a url
So by starting with a reference that I pass to my search function, I keep it "tagged" and then every time it is refreshed it shows up in the main page correctly.
So it's working now and the last thing that I need to do is put all my dynamic variables in an array to reduce the overhead.
In ColdFusion you could put something into the session scope or you could use javascript to set hidden fields on the calling page. There may be a nicer solution but that's a couple of quick ones.
Use a Javascript function call in your link on the parent window.
From the Javascript function, use ColdFusion.Window.create to create the child window with a dynamic url passing the vars you need.
Et voilĂ .