There was one question before but with no answer.
Since expresss-sanitizer is deprecated I'm wondering how to properly sanitize data in the NestJs queries?
I would probably use a global and custom pipe for that, but honestly I have no idea how could I replace string of <script>....</script> into properly sanitized format.
Do you know any npm packages that would help to sort that out?
Check out this question. I think your best option is using a package like xss or strip-js to strip javascript code from a string. Then wrap it in a custom pipe.
Related
I'm trying to find a way to check if my rdfa-parser (written in nodejs) is working.
So I have an rdfa-parser, which should print all triples, found in a file or url (with rdfa-syntax).
So far I know, that there are testsuits for RDFa-parsing (http://rdfa.info/test-suite/rdfa1.1/html5/manifest), but I'm not sure how to use them.
Is there a good webpage, where this is described? Or can anyone help me in another way?
There should be some information at the rdfa.info/tests site. Basically, you need a service that will accept a GET request, where the "uri" query parameter points to the input file. The service then parses the file, and returns some other form of RDF, typically N-Triples. More information on the Github page: https://github.com/rdfa/rdfa-website/blob/master/README.md
Most times I've seen urls written to open an XPage in read-mode using action=openDocument, but occasionally, I've see action=readDocument used. Just curious if there are pros/cons in using one vs. the other.
I don't know of a difference. Honestly I never use these URL's anymore myself. So it's really not a big deal very likely.
Keep in mind, you don't need to use these at all of you don't want. You can pass your own parameter in the URL and then via SSJS access any parameters with the param object. You can also get the parameters in Java easily enough.
Just a thought.
I want to use the version number from the manifest file in my extension. Is there a way to access the value?
Thanks!
Currently there are 2 ways to get this. First is to perform XMLHttpRequest to manifest.json (URL is chrome.extension.getURL("manifest.json")) and to JSON.parse the response. Second way is to use chrome.apps.getDetails() API which is gonna change sooner or later
BTW i have found another way to get version of extension. You can use chrome.management to get it. In fact it's more pretty than using chrome.app.getDetails and it's async, but it seems superfluous to use the whole API for just getting version of your own extension.
UPD 2014/05/18: chrome.runtime.getManifest().version is now probably the best way to do this.
What's the best way to escape data from Models or Controllers to easily and safely display them in views. It seems kind of overkill to use html::specialchars($varname) for every data variable. It can also cause problems if a programmer forgets to "escape" data.
I've also encountered problems escaping ORM objects within loops.
I wrote the Twig module gimpe has suggested and by default it automatically escapes all data. You might also want to look into Kostache. It's a class based view system that does automatic escaping.
Regarding your comment:
Is there a way to do this directly from the Model
You don't want to escape the data here because HTML escaped data doesn't make sense in all output formats, eg: JSON and XML.
Do the escaping at the view level.
One way to achieve that is using a templating engine like Twig for the views. (see KO3 module http://github.com/ThePixelDeveloper/kohana-twig)
Then you simply need to load the Escaper extension:
Twig_Extension_Escaper: Adds automatic output-escaping and the possibility to escape/unescape blocks of code.
Ref.: http://www.twig-project.org/book/03-Twig-for-Developers
I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting.
Are there any functions I should use?
Can you provide me with a good function for some basic protection?
Is there something like a parameterized query in asp?
Thanks!
Yes you can use parametrized queries in classic ASP (more accurately, classic ADO).
Here is a link.
As for encoding output, I might be tempted to create a wrapper for the latest Microsoft Anti-XSS library and call it with Server.CreateObject. I am far from an expert on this kind of thing as I spend much more time in .Net, so I only think this would work.
Server.HTMLEncode is really not good enough, as it only blacklists a few encoding characters. The Anti-XSS library is much better as it whitelists what is acceptable.
Always use Server.HTMLEncode to sanitize user input.
For example, if you're setting a variable from a form text box:
firstName = Server.HTMLEncode(trim(request.form("firstname")))
Watch out for SQL injection. Do not concatenate user input to a SQL string and then execute it. Instead, always used parameterized queries.
There is a bunch of functions starting with Is, such as IsNumber, IsArray etcetera, that might be of interest. Also if you're expecting a integer, you could use CLng(Request("blabla")) to get it, thus if it's not a integer the CLng function will raise an error.
One way to do it might be to add a check in a header.asp file that iterates through the Request object looking for inappropriate characters. For example:
<%
for each x in Request.Form ' Do this for Request.Querystring also
If InStr(x,"<") <> 0 Then
' encode the value or redirect to error page?
End If
next
%>