I've noticed that when i send a url like this:
http://localhost:3000/register/register_user/?sig=zaQ/876CwJMEEmrJqAOYHyEKBXy2s03NDmk+3FsXPr4=
what comes through when I use it to compare to the expected result using params[:sig] in the controller is this:
zaQ/876CwJMEEmrJqAOYHyEKBXy2s03NDmk 3FsXPr4=
For some reason the '+' sign that was in the url at the 9th character from the end of the string has been converted to a space.
Not sure why that happens, whether it only happens with + signs or what.
The result returned by Digest::SHA256.base64digest(data) has this plus sign so my validation of the signature is failing.
What's the best way to fix this? Will it suffice in the general case just to convert '+' signs into spaces before the comparison or is the re some less ugly way to address?
You'll need to url encode it. Either do a search and replace for + with %2B or force the encoding using open-uri.
require 'cgi'
sig = "zaQ/876CwJMEEmrJqAOYHyEKBXy2s03NDmk+3FsXPr4="
puts CGI.escape(sig)
Tested it this time.
irb(main):008:0> require 'cgi'
=> true
irb(main):009:0> CGI.escape('zaQ/876CwJMEEmrJqAOYHyEKBXy2s03NDmk+3FsXPr4=')
=> "zaQ%2F876CwJMEEmrJqAOYHyEKBXy2s03NDmk%2B3FsXPr4%3D"
irb(main):010:0>
Related
So I have a set of strings, with some "custom markdown" that I have created. My intention is to render these strings as HTML in the frontend. Let's say, I have this string:
This is a string <color>that I need</color> to\nrender <caution>safely in the browser</caution>. This is some trailing text
I would be expecting to get something like:
This is a string <span class="primaryColor">that I need</span> to<br>render <div class="caution">safely in the browser</div>. This is some trailing text
And the way I do it right now is with some basic Regex:
toHtml = text
.replace(/<color>(.*)<\/color>/gim, "<span class='primaryColor'>$1</span>")
.replace(/\\n/g, "<br>")
.replace(/<caution>(.*)<\/caution>/gims, "<div class='caution'>$1</div>")
This works fine and returns the correct string. And then for printing, in the template I just:
<div id="container" v-html="result"></div>
My problem is that at some point I expect users to be able to enter this strings themselves, and that would be displayed to other users too. So for sure, I am gonna be vulnerable to XSS attacks.
Is there any alternative I can use to avoid this? I have been looking at https://github.com/Vannsl/vue-3-sanitize which looks like a good way of just allowing the div, span and br tags that I am using, and set the allowed attributes to be only class for all the tags. Would this be safe enough? Is there something else I should do?
In that case, I believe it will not be necessary to sanitize it in the backend too, right? Meaning, there will be no way for the web browser to execut malicious code, even if the string in the server contains <script>malicious code</script>, right?
My problem is that at some point I expect users to be able to enter this strings themselves
So, Do we have a form input for the users to enter the string which you mentioned in the post ? If Yes, My suggestion is that you can sanitize the user input at first place before passing to the backend. So that in backend itself no malicious code should be stored.
Hence, By using string.replace() method. You can first replace the malicious tags for ex. <script>, <a, etc. from the input string and then store that in a database.
Steps you can follow :
Create a blacklist variable which will contain the regex of non-allowed characters/strings.
By using string.replace(), replace all the occurrence of the characters available in the string as per the blacklist regex with the empty string.
Store the sanitized string in database.
So that, You will not get worried about the string coming from backend and you can bind that via v-html without any harm.
In my Karate Script, I am giving param input = '%2B61293744000'. I have used %2B for encoding + as it is a phone number with country code.
Now the URL that is formed is taking input as input=%252B61293744000 , which means that the % itself has been taken as %25
Any idea how to handle this?
Figured out that in Karate if i directly give param input = '+61293744000' this is working fine, and url is formed as %2B which is correct
So no need to encode it in parameter.
I'm using Node.js and I found out that when I send GET call to a server with C++ then in SQL binding I get C(blank space)(bankspace) (checked with console.log(req.query.keywords) so essentialy the same length of the string, but no chars there.
When I use SELECT * FROM jobs WHERE keywords LIKE' %c++%'; it works normally and gives me results. Is there something I don't know about Node - like it's dropping signs like +?
I think the issue you're having is the same one outlined here: URLs and plus signs
The issue is that a GET is going to use the query string in the URL and plus signs need to be formatted (or encoded) similar to how a space is formatted as %20 in URLs. You could probably use or create a UrlEncoding method in your application.
In Node, I believe you can use something like: encodeURIComponent('C++')
The URL encoding for + is %2B
Whenever I get the .val() of input box with javascript, everything after and including the < character is not included. So if I put "hello<yo" i receive hello.
So a user typing '<' anywhere in the textbox will either submit a false input he didn't want, or receive the wrong error message
(i.e. if he inputs "<hello", it will say it's blank)
This seems to be fine in javascript alone. But I am getting the val() from javascript and then in ajax i am sending it to a php URl as a query string and validating it there on the php.
Any ideas?
Thank you.
EDIT: MY bad i didnt know there was a striptag() function being called in php
Instead of entering < try entering <.
I develop a facebook api with asp.net , I have to send query string but this querystring may include special characters like ( ı, ç ö, ş, ğ ). When I send query string with special characters, facebook returns me an error-
The URL http://apps.facebook.com/sportsfanarena/Results.aspx?s=13&co=3&ci=Bal%c4%b1kesir&g=0 is not valid.
The "ci" variable's value is "Balıkesir".
Is there any solution to handle it?
I believe you need to use URL encoding to send characters like that, though I may be mistaken.
Here is an online utility which will take text and encode/decode it in URL encoding.
Try encoding the word you are wanting to send using this utility, and then try your API request with the encoded text.