What is the way(best practice) to deal with XSS? - xss

I am using ASP.NET and on ASP.NET page has validate attribute which checks for the XSS validations. However i would like to know that is it really sufficient ?
I have visited some of the related post on stackoverflow and that helped me but i am looking to understand how to plan for XSS when developing web sites ?
Do we have to check XSS on client side, AJAX also ? How to do that ? Are there any tools which can help testing the XSS ?
Thanks,

These are the basics:
Do not allow HTML input
Always html encode input when displaying it
Use the AntiXSSLibrary from Microsoft, or a similar library

Check it out: Allowing HTML and Preventing XSS # shiflett.org

Related

Sitecore 7.2 Item Web Api - Unable to PUT html text

I am trying to update (using PUT operation) a sitecore item with a 'Rich Text' field with the Sitecore ItemWebApi 1.2. I am running in to an issue with the server saying
"A potentially dangerous Request.Form value was detected from the client"
I could do the validationRequest=false in the web.config. But that will disable the validation for all requests which is not ideal. Is there a way to save html text using ItemWebApi without using the validationReques=false? Seems for aspx pages you could use #Page. Not sure where something like that could be configured in this case.
May be you have already figured out the answer for yourself, but in interest of our fellow community I posting answer here.
Actually myself get struck into this similar issue from last week, but because of your question i found the solution.
By Default Sitecore nowdays comes with
<pages validateRequest="false">
but it is not effective until or unless we do following
<httpRuntime requestValidationMode="2.0"/>
It is also indicated in Sitecore KB article and in another stack overflow answer.
Regards
Vishal Gupta
I did double escaping on client before sending to server and double unescaped with a custom item web api processor to essentially achieve the same effect for this one ajax call. This way, I did not have to turn off validation application wide and had to add the validateRequest=true on all pages. Turning of default html validation would also mean every other developer on our team needs to be aware that html validation is turned off and they have to add special xml on top to enable it. Someone missing that will make our site insecure.

Django REST API/AngularJS Application

So I am building a web tool using Django REST API and Angular JS. I have CSRF protection built into the bootstrapped template. My question is, do I have to do server validation of the POST information when submitted on a form?
I am used to doing all the validation server side, but with the CSRF stuff and how the REST API works, I don't know if I need to? For instance if I want to validate that a piece of the form is only alphanumeric etc to prevent injections and such.
Thanks.
Django does a pretty good job when it comes to validation, so SQL injection shouldn't be your concern as long as you don't write raw queries - see here for more explanations.
However, if you have specific validation that you want and that is not enforced by django (such as not allowing a user to have a password length smaller than 8), you should definitely do it on the server side, even if you are already doing it in Angular.

Meteor and cookies

Is there any way to use cookies in meteor?
I would like to have a per-machine id so I can handle license verifications.
Thanks
well, basically we used the jquery cookie plugin for that,
unfortunately there is no way to pass cookies from the server to the client directly so far (i guess you were thinking about something similar to the php cookie implementation).
i just use https://github.com/carhartl/jquery-cookie for this,
but you can also just use the builtin javascript cookie functions for that.
https://github.com/manarius/stellar/ feel free to have a look at stellar to see how we used cookies in there :)
have fun :)
manarius
I ended up solving my own question with localStorage.
There is no need for cookies in this scenario, just used localStorage to store the machine id and send it throw the Meteor.method call.
If older browsers are an issue, use localStorage.polyfill smart package.

Server templating versus Javascript client-side templating

I have recently been studying different options (iCanHaz.js + Mustache.js, jQuery templating, Handlebars.js + Mustache.js) to generate the content from the client side. But I am not really sure this is good for SEO.
I am using Django on the Backend
I clearly see the advantages of processing / rendering less HTML on the server BUT, is this solution good for SEO?
Does crawlers read AJAX / Javascript generated HTML?
Thanks
http://code.google.com/p/distal/wiki/FAQ#Do_you_support_search_engine_optimization?
Google crawler read specially marked js|ajax content. But is fact - ajax for seo is bad. JS templating like knockout only for dynamic forms or wizards imho.

Emulating a web browser to wrap the functionality of several similar web sites

I'm interested in emulating the functionality of a web browser in C++ so that I can create a wrapper for several web sites. Right now, the biggest issues with these sites are that they make heavy use of JavaScript that interacts with the HTML DOM. Thus, the simple solution of using curl to download the page, and something like RapidXML to parse its contents is out.
Next, I considered using something like v8 with curl, and that solves the issue of interpreting the JavaScript on the page nicely. However, it doesn't solve the issue of connecting the HTML DOM methods with the JavaScript; in other words, document.getElementById() would fail in v8.
Next, I considered WebKit, which seems like it's perfectly suited to emulate a web browser--after all, Chromium and Safari both utilize it in their web browsers. However, it's a little too complete. I don't need all of the rendering aspects it includes.
So, I'd be looking for some way to:
Make an SSL connection to a web site
Interpret the JavaScript on that web site in connection with the HTML DOM
Set the value of the username/passwords <input> fields with my username and password
Simulate clicking the "Submit" button by calling the formSubmit() function, from <input type="button" onClick="formSubmit()">
Handle the HTTP POST form action and the subsequent HTTP 301 and JavaScript redirects (accomplished using window.location)
Repeat 2-5 as needed
Besides what I've already considered, what other options do I have? Ideally, I'd want this to be extremely lightweight, without requiring linking to many libraries.
I'm primarily concerned with developing for Windows 7 64-bit.
Well, this sounds all too much like a brute-force program. Disregarding that, and since you don't seem to need to render any website, I think you should just fetch the file through cURL or something, then parse it, check for the form through using a regex, retrieve the form action, then make a request using the method taken from the <form> tag and whichever input you want.
Problem is, there would be no proper way to know when is it that you've logged in properly, unless you made some kind of per-site checking. This comes mainly from the fact that many sites use sessions rather than direct cookies or HTTP auth, and since you can't read from sessions directly, it is impossible for you to guess when the session has changed.
That's the most lightweight solution I can come up with right now.