Skip to main content
4,484 questions
Newest Active Bountied Unanswered
Filter by
Sorted by
Tagged with
0 votes
0 answers
36 views

I'm developing a web application that accepts user input through forms and displays it on various pages. I'm concerned about Cross-Site Scripting (XSS) attacks and want to implement proper security ...
Irene Lin's user avatar
  • 1
3 votes
1 answer
241 views

I'm using the pdf.js library and to prevent XSS attacks, I've set enableScripting to false. This successfully prevents JavaScript execution when it is in the PDF-specific octal format, like /JS (app\...
Amir93's user avatar
  • 43
0 votes
1 answer
363 views

I have a microservice with Spring Boot which has a lot of API endpoints. My devops team recently applied Snyk scan for the Jenkins build which is preventing API deployment due to following error: ...
Saurabh Tiwari's user avatar
  • 5,289
0 votes
0 answers
48 views

I'm working on a program, but veracode is detecting that part of my code is vulnerable to XSS CWE 80. Here is the snippet that is being flagged: ltLinkDoc.Text = '<script>$(window).bind("...
Nguyen Xuan Nghia's user avatar
  • 1
0 votes
0 answers
56 views

I am testing a reflected XSS vulnerability on the following URL parameter: https://public-firing-range.appspot.com/reflected/url/css_import?q=payload When I test with JavaScript payloads such as: ...
ali's user avatar
  • 1
0 votes
3 answers
147 views

There is a web page which does not use any cookies: <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <script> async function ...
Derick's user avatar
  • 1
0 votes
0 answers
83 views

If one wishes to sanitize HTML input, he has to use a library like HtmlSanitizer. Example: var sanitizer = new HtmlSanitizer(); var sanitized = sanitizer.Sanitize(model.htmlInput); Is it possible to ...
thran's user avatar
  • 156
0 votes
0 answers
52 views

I am creating my 1st django-react application, but i got stuck on the login process. Currently i am using simplejwt, while i can keep the access token inside react state, the refresh token has to be ...
ONF's user avatar
  • 11
0 votes
0 answers
44 views

I’m working on an AngularJS project, and after running a security scan with Checkmarx, I’ve encountered the following XSS vulnerability: "The in the application embeds untrusted data into the ...
Victoria_lunática's user avatar
  • 1
0 votes
0 answers
25 views

I have a React app that renders Vue routes and React routes. All works fine, however, for one specific use case I am mounting a react app inside a Vue app. ReactParent -> Vue -> ReactChild. The ...
Lek's user avatar
  • 137
2 votes
1 answer
84 views

I'm trying to prevent XSS request with HtmlSanitizer in my .NET wb app project, e.g: var sanitiser = new HtmlSanitizer(); var result = sanitiser.Sanitize(rawText); When the body or query has specific ...
rahman's user avatar
  • 131
0 votes
0 answers
63 views

I know am contradicting it myself - we have legacy web application which extensively use inline JavaScript. This application allows users to upload and view (render within browser)/download files. ...
Narwhal's user avatar
  • 43
0 votes
1 answer
65 views

I am using Url::parse from the url crate For example: let input = "http://example.com:8080/?sort=custom&kind=comm < > ents&scope=discover&time=6mo&page=2"; ...
sudoExclamationExclamation's user avatar
  • 9,061
0 votes
1 answer
65 views

What's the correct way to handle ampersand for the separator in query parameters of a user input URL while also being safe against XSS? On my website, I have an input field where users can put links. ...
sudoExclamationExclamation's user avatar
  • 9,061
1 vote
1 answer
231 views

I have a web interface, that use JavaScript function to create html elements using data from data-* attribute created by web-server. This function will be triggered by onchange event of a checkbox. ...
Avogatro's user avatar
  • 11
1 vote
0 answers
595 views

I am working in the FE with React and BE with Hasura. Since I am using azure for authentication I used the Microsoft Authentication Library (MSAL) with msal.js and acquireTokenSilent for React. ...
Georgios's user avatar
  • 1,037
-1 votes
1 answer
79 views

As far as I understood, I need protection against csrf attacks when I use jwt by storing them in http-only cookies. So that when a user visits a malicious site and a request to my server is made from ...
Mikhailo's user avatar
  • 49
1 vote
0 answers
79 views

We are running Checkmarx report for our Visaulforce pages. In apex controller, we are getting the record name using SOQL query and then we are passing that record name in the onClick event of apex:...
Anil Meghnathi's user avatar
  • 87
1 vote
1 answer
82 views

I am trying to simulate very simple xss in angular but I cant is there any reason why it does not work? TS showOutput() { let badOutput = document.getElementById('bad-output'); const badInput = ...
Juraj Jakubov's user avatar
  • 301
0 votes
0 answers
83 views

In a given scenario where users of an application can create note-content in Quill, what tags and attributes should be whitelisted in a policy file. I am using OWASP AntiSamy for sanitization. I am ...
beeroggy's user avatar
  • 1
1 vote
1 answer
134 views

In WSO2 APIM, We can use regular expression filtering to prevent xss and sql,xml,html injections. I found that we cannot use "</" and "/>" and even "&lt"...
m.feyzollahi's user avatar
  • 301
0 votes
1 answer
414 views

Wanted to ask a question about Snyk cli container monitor of docker image. So we got a docker image for example reponame/image_name:image_tag. We are monitoring this image from cli like snyk container ...
user27585135's user avatar
  • 1
1 vote
0 answers
78 views

After running XSStrike on example.com/example?example= (for the parameter example), it is certain (10/10 certainty) that the payload %3Chtml%3E%3Cscript%20onpointerenter%3Dconfirm()%3E%3C%2Fscript%3E ...
security_paranoid's user avatar
  • 156
0 votes
0 answers
123 views

I'm working on a project where I need to validate external references in PDF files using Apache PDFBox. Specifically, I want to check if a PDF contains any external references, such as links to ...
Ravi Dobariya's user avatar
  • 11
0 votes
1 answer
339 views

Traceback (most recent call last): File "/home/anon/python-tools/XSStrike/xsstrike.py", line 174, in scan(target, paramData, encoding, headers, delay, timeout, skipDOM, skip) File "/...
Anon_security's user avatar
  • 1
0 votes
1 answer
2k views

I'm new to Angular. I have this problem when trying to implement the href value of the Sitemap tag dynamically. This value contains the url of the xml which is stored in the database. The problem ...
Dev Cop's user avatar
  • 1
0 votes
0 answers
79 views

I am using the Django Rest Framework for my backend and React for my front, and they are served in different domains and subdomains, and now I am completely confused about what I should do to secure ...
webdeveloper's user avatar
  • 15
2 votes
1 answer
119 views

I have a Django app where a few of the forms support a text input with maximum lengths of either 50 or 250 characters. In all cases, the data entered will be stored in the backend DB and will be ...
JDM's user avatar
  • 1,823
0 votes
1 answer
1k views

I am writing a static page for a tool: User pastes in base64 and it gets converted into plaintext. Not like it matters, but because the context is cryptographic, I want to prevent XSS. I noticed ...
vector001's user avatar
  • 41
1 vote
1 answer
70 views

We recently had a penetration test done, and one of the "high" items was the fact that our servicestack API will reflect back user input unmodified to the caller. E.g. I can send some ...
David Hiblen's user avatar
  • 371
0 votes
2 answers
282 views

I have a website that uses jQuery ajax $.post to save html data to a PHP script. The data for $.post is serialized textarea form data (where the user edits css, javascript & html). All works well ...
Jsp's user avatar
  • 305
1 vote
1 answer
111 views

This is one of my field in one of my jsp file: <input class="form-input" id="login" type="text" name="login" <c:choose> <c:when test="${...
DoWhileFor's user avatar
  • 93
1 vote
1 answer
60 views

I encountered this seemingly safe function to extract text content from html function getText(html) { const div = document.createElement('div') div.innerHTML = html return div.textContent } It ...
Konrad's user avatar
  • 24.9k
0 votes
1 answer
104 views

I have an iframe embedded in a different domain that opens up a popup window in a different domain. I am trying to establish cross window communication and running into a bunch of XSS security ...
user25622659's user avatar
  • 33
-1 votes
1 answer
562 views

I have the following code: const Show = () => { const dangerousMarkup = { __html: "<script>alert('ERROR');</script>" }; return ( div dangerouslySetInnerHTML={...
Howard's user avatar
  • 39
0 votes
0 answers
162 views

I was checking out this Portswigger lab: https://portswigger.net/web-security/essential-skills/using-burp-scanner-during-manual-testing/lab-scanning-non-standard-data-structures And basically the ...
my8833's user avatar
  • 1
0 votes
0 answers
72 views

I have a series of user-input string fields that have to accept ' and ", and I have to present them correctly in a blade view. I would like to know if it would be secure (and what issues can I ...
Alberto Suárez's user avatar
  • 127
0 votes
2 answers
211 views

https://www.php.net/manual/en/function.htmlspecialchars.php flags... The default is ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401. But then below When neither of ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES is ...
Qiao's user avatar
  • 17.1k
0 votes
1 answer
396 views

I am having the following <!DOCTYPE html> <html lang="en"> <head> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js"></script&...
Santhosh's user avatar
  • 12k
0 votes
1 answer
115 views

I am reading about FILTER_SANITIZE_STRING being deprecated so I am looking for the best option to filter inputs for security reasons to prevent mysql injections and xss injections too. My users will ...
New-Girl's user avatar
  • 19
0 votes
2 answers
528 views

I'm parsing the user inputted markdown into HTML using the marked library, and rendering it using the @html tag But the issue is if the user input is something like <script>alert('hello')</...
Rashaad's user avatar
  • 73
1 vote
0 answers
328 views

I used the default DOMPurify (https://github.com/cure53/DOMPurify/tree/main) configuration for input sanitization in JavaScript, but noticed that tags like "h3" are allowed. I was wondering ...
Ronald's user avatar
  • 187
1 vote
1 answer
723 views

I currently have a site which I am running using Nuxt3 running as SSR. I am using Strapi as my CMS to pass content to Nuxt via the Nuxt Strapi Module (https://strapi.nuxtjs.org/). My content has some ...
wizzer711's user avatar
  • 21
0 votes
1 answer
129 views

html script calling my asp.net code behind page load event, that is my problem I have below asp.net page: <%@ Page Language="C#" AutoEventWireup="true" Inherits="...
user24846708's user avatar
  • 1
0 votes
1 answer
131 views

I was implementing Google Tag Manager in Next, and all of the resources I saw online said to use dangerouslySetInnerHTML. My understanding from the docs is that it's "dangerous" because it ...
Cam's user avatar
  • 670
-1 votes
2 answers
97 views

I define object a with an empty method b(). The method has no parameter and does nothing! Please someone tell me, why when I call a.b() and pass JS code as a parameter, does it execute the code? ...
KeepCalmBaby's user avatar
  • 24
1 vote
2 answers
412 views

I am uploading a file to server using FtpWebRequest. Bu it causes critical Cross-site scripting (XSS) vulnerability. This file contents is import and I need to upload as is. How could I fix this ...
alinz's user avatar
  • 81
0 votes
1 answer
819 views

How can I steal cookie when HTTPOnly is on and CSP rules are defined? Assume that an attacker is given an inputfield that performs HTTP and that it is vulnerable for XSS attacks: <form action="...
ZedORYasuo's user avatar
  • 175
0 votes
0 answers
204 views

AlpineJS is a great tool for doing minor interactivity in a concise and local manner. However, in so doing, it requires evaluating Javascript code in its attribute values, and so is incompatible with ...
Tom Hunt's user avatar
  • 968
0 votes
0 answers
213 views

I have the following code in my ASP.NET Core MVC code. Security assessment tools have reported cross-site scripting (XSS) vulnerability at return new JsonResult(new { response = sresponse, clientdata =...
Gags's user avatar
  • 913

1
2 3 4 5
90