Whenever I get the .val() of input box with javascript, everything after and including the < character is not included. So if I put "hello<yo" i receive hello.
So a user typing '<' anywhere in the textbox will either submit a false input he didn't want, or receive the wrong error message
(i.e. if he inputs "<hello", it will say it's blank)
This seems to be fine in javascript alone. But I am getting the val() from javascript and then in ajax i am sending it to a php URl as a query string and validating it there on the php.
Any ideas?
Thank you.
EDIT: MY bad i didnt know there was a striptag() function being called in php
Instead of entering < try entering <.
Related
So I have a set of strings, with some "custom markdown" that I have created. My intention is to render these strings as HTML in the frontend. Let's say, I have this string:
This is a string <color>that I need</color> to\nrender <caution>safely in the browser</caution>. This is some trailing text
I would be expecting to get something like:
This is a string <span class="primaryColor">that I need</span> to<br>render <div class="caution">safely in the browser</div>. This is some trailing text
And the way I do it right now is with some basic Regex:
toHtml = text
.replace(/<color>(.*)<\/color>/gim, "<span class='primaryColor'>$1</span>")
.replace(/\\n/g, "<br>")
.replace(/<caution>(.*)<\/caution>/gims, "<div class='caution'>$1</div>")
This works fine and returns the correct string. And then for printing, in the template I just:
<div id="container" v-html="result"></div>
My problem is that at some point I expect users to be able to enter this strings themselves, and that would be displayed to other users too. So for sure, I am gonna be vulnerable to XSS attacks.
Is there any alternative I can use to avoid this? I have been looking at https://github.com/Vannsl/vue-3-sanitize which looks like a good way of just allowing the div, span and br tags that I am using, and set the allowed attributes to be only class for all the tags. Would this be safe enough? Is there something else I should do?
In that case, I believe it will not be necessary to sanitize it in the backend too, right? Meaning, there will be no way for the web browser to execut malicious code, even if the string in the server contains <script>malicious code</script>, right?
My problem is that at some point I expect users to be able to enter this strings themselves
So, Do we have a form input for the users to enter the string which you mentioned in the post ? If Yes, My suggestion is that you can sanitize the user input at first place before passing to the backend. So that in backend itself no malicious code should be stored.
Hence, By using string.replace() method. You can first replace the malicious tags for ex. <script>, <a, etc. from the input string and then store that in a database.
Steps you can follow :
Create a blacklist variable which will contain the regex of non-allowed characters/strings.
By using string.replace(), replace all the occurrence of the characters available in the string as per the blacklist regex with the empty string.
Store the sanitized string in database.
So that, You will not get worried about the string coming from backend and you can bind that via v-html without any harm.
I've noticed that when i send a url like this:
http://localhost:3000/register/register_user/?sig=zaQ/876CwJMEEmrJqAOYHyEKBXy2s03NDmk+3FsXPr4=
what comes through when I use it to compare to the expected result using params[:sig] in the controller is this:
zaQ/876CwJMEEmrJqAOYHyEKBXy2s03NDmk 3FsXPr4=
For some reason the '+' sign that was in the url at the 9th character from the end of the string has been converted to a space.
Not sure why that happens, whether it only happens with + signs or what.
The result returned by Digest::SHA256.base64digest(data) has this plus sign so my validation of the signature is failing.
What's the best way to fix this? Will it suffice in the general case just to convert '+' signs into spaces before the comparison or is the re some less ugly way to address?
You'll need to url encode it. Either do a search and replace for + with %2B or force the encoding using open-uri.
require 'cgi'
sig = "zaQ/876CwJMEEmrJqAOYHyEKBXy2s03NDmk+3FsXPr4="
puts CGI.escape(sig)
Tested it this time.
irb(main):008:0> require 'cgi'
=> true
irb(main):009:0> CGI.escape('zaQ/876CwJMEEmrJqAOYHyEKBXy2s03NDmk+3FsXPr4=')
=> "zaQ%2F876CwJMEEmrJqAOYHyEKBXy2s03NDmk%2B3FsXPr4%3D"
irb(main):010:0>
I'm kind of new to selenium IDE and automated test and I don't know much about programming languages. I have a question concerning verifyText command as verifyTextPresent is deprecated. If I put the target word/text in * * will it work as if I was using verifyTextPresent? Could waitForText work?
I am trying to verify that the search function of a website is working as expected. I search the word "client" and I want to verify that the word is present in the results.
clickAndWait css=div.cf-tooltip-text
type id=edit-global-search client
clickAndWait id=edit-submit-global-search
verifyText id=content-column *client*
This works, but in the Log I can not understand what it really does. Also if I try the word on its own "client" I get an error which I understand because it compares it to the text of the whole column. I also tried to put an irrelevant word between asterisks such as youwillnotfindthetext (just to make sure that everything between asterisks will pass the test) and there I had an error too.
So it seems to be working somehow but I want to ask some of you expert guys.
Thanks
If you put a * in starting and ending means it will look for the inner text containing in the specific element. If a text is present as you given in the script it will return a pass. If the text u specified in the script is not present, it will throw an error. That's what happens when you put youwillnotfindthetext in between the *.
Check this link Selenium: test if element contains some text
Instead of getting the bot's last response with 'that' i would like to know if there is any way I can get the user's previous input to see if the user typed the same statement again and respond accordingly instead of simply parroting the same response over and over again. Is there any tag in AIML for this?
You can use the input index=n tag for this
As you said, < input index="n"/ > should work. N=1 for the most recent input etc.
I'm doing something like the following: Validate number of nested attributes.
I'm checking for existence of at least one nested attribute.
This was working fine when I was using a text input for the date but I've changed it to use a date_select instead and now the same validation code shows an error saying that not enough have been chosen.
When it fails validation and reloads the form it also doesn't "build" an instance of the nested attribute either so it just shows my "[+]" link
Anybody got any ideas?
Failing everything I'll just have to put the text field back (probably using type=date).
Col
I decided to just put the text field back.