close ad
Install the LAtest Updates to Work with CC 2017 and CC 2018
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

XSS protection

Thread began 3/11/2013 10:09 am by Cologne | Last modified 3/11/2013 6:44 pm by Jason Byrnes | 484 views | 9 replies |

Cologne

XSS protection

Hi,

my test website maryjane was blocked on a server cause of XSS.
Now I red some articles about XSS.

Is it possible that it belongs to the FRAMEWORK includes?

How can I test if my page is XSS safe?

Any help? Suggestions?

Cheers,
Denis

Sign in to reply to this post

Jason ByrnesWebAssist

I would need to see the scan report to tell why that page failed.

normally it happens if you write a URL variable value to the page without scrubbing it using htmlentities. for example:


php:
<php echo(isset($_POST['postval'])?htmlentities($_POST['postval'], ENT_QUOTES):""); ?>
Sign in to reply to this post

Cologne

Hi Jason,
now I am a bit afraid. In my backend I let the use insert their website. I check it with the server validation URL.
Will this protect my site or do I need to have more validation?
I tried to enter something like band.php?i=service and it works, I thought this is dangerous :-(
Before I have to rebuild my backend I need to know what protection is allready in the WA dataassist and databridge?
Cheers,
Denis

ps. I dont have any protocol.

Sign in to reply to this post

Jason ByrnesWebAssist

in the insert record behavior that stores the website address, when you select the form element bindings, set the formating option to HTML Encode.

Sign in to reply to this post

Cologne

Hi Jason,

I think I will allways use the "htmlentities" before insert inth the datebase.
If the links dont work, the use has to change.

I check if its email or url, then I store both with "htmlentities"

Will this be the best solution?

Cheers,
Denis

Sign in to reply to this post

Jason ByrnesWebAssist

yes, that would work

Sign in to reply to this post

Cologne

hmm, so if I use "htmlentities" it doesnt matter what the user puts into my form fields?
For example I want the street and city, I dont need worry when I insert with "htmlentities"?
Sorry for asking that much, cause, if so, I can use less code, cause I dont need all that validation.
Am I right, when I say, I use the WA validation to FORCE the user to insert LIKE I want.
If I dont want to foce the useer, it allright only to use "htmlentities" in the DA wizzard?

Is the WA "htmlentities" with "ENT_QUOTES"

can you also explaine the diffrence between:

<?php echo (htmlentities($_SERVER["PHP_SELF"], ENT_QUOTES)); ?>



and

<?php echo (htmlentities($_SERVER["PHP_SELF"], ENT_QUOTES)); ?>?<?php echo preg_replace("/^&/", "", preg_replace("/&?invalid=true/", "", $_SERVER["QUERY_STRING"])); ?>



Which is better to use?

Cheers,
Denis

Sign in to reply to this post

Jason ByrnesWebAssist

html entities will convert tags to html entities

so if the user enters:

<bold>John Doe</bold>



and you convert that using HTML Entities,

it will insert to the database as:

&lt;bold&gt;John Doe&lt;/bold&gt;
Sign in to reply to this post

Cologne

How do I use it with universal Email?

Sign in to reply to this post

Jason ByrnesWebAssist

same way, when you add a binding for a from address or to address, set the formatting to use HTML Encodeing

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...