I feel silly asking this question but I'm dealing with a vendor who told me that in order to generate a specific required key I need to reference the jscript library instead of Javascript.
I know how to reference Javascript but simply changing text/javascript to text/jscript doesn't work?
Related
Is there anyway to sanitize SVG file in c#, any libraries anything?
From client side we are sanitizing the SVG files while uploading , but the security team is asking for a sanitization in serverside too.
I'm primarily a Python developer, but I thought I'd throw some research into the issue for ya. I used to develop for C, so I thought I should at least have a basic understanding of what's going on.
*.SVG files are structured like XML documents, and use the HTML DOM to access JavaScript and CSS functionalities. Trying to enumerate and script out every single catch for potential JavaScript-based security issues doesn't seem realistic, so personally, I'd just entirely remove all JavaScript sectors that do anything more than define simple variables, do math operations, or reference already-defined visual elements from any uploaded *.SVG files.
Since *.SVG files are based on XML and are human-readable, this could be accomplished by iterating through the file either line-by-line like a text file or element-by-element like an XML or HTML file. You'd want to go through and remove all the JavaScript scripts that don't meet the above criteria, save it & then convert it to XML and use a standard XML-sanitation library on it, and then convert that back to *.SVG. I reckon this Github library and this StackOverflow thread could be helpful in that.
I hope my response was helpful!
It is true what your security team say: client-side security is not security. It is just user convenience. Never rely on client-side checks. Anyone wanting to do bad things to your application will bypass client-side checks first thing.
Now, a SVG file can be used in a XSS attack only by leveraging the <script> tag.
Unfortunately, defusing/securing a script is a very complicated topic and prone to errors and both false positives and negatives.
So, I believe your only recourse is to remove scripts altogether. This might not be what you need.
But, if it is, then it's very simple to do. The script tag cannot be masqueraded inside the SVG, or the browser will not recognize it in the first place, making the attack moot. So a simple regex should suffice. Something like,
cleanSVGcode = Regex.Replace(
userSVGcode,
#"<script.*?script>",
#"",
RegexOptions.IgnoreCase|RegexOptions.SingleLine
);
It is possible to sanitize out further sequences. Since, if they're written incorrectly or in an obfuscated way, javascript calls won't work, the number of these sequences is limited.
#"javascript:" => #"syntax:error:"
I want to use Blockly to do some calculations, and then generate text files (as opposed to exporting code to JavaScript, Python, PHP, etc.)
I can’t see an obvious way to create my own blocks to do this in Blockly, so using AppInventor (Version: nb168), I got storing and retrieving files to work, in a crude test app on my Android tablet.
In AppInventor/Designer mode, clicking Storage/File creates a “Non-visible component for storing and retrieving files. Use this component to write or read files on your device.”
Then, in AppInventor/Blocks mode, clicking the “File1” icon gives access to 7 “file type blocks”, e.g. AppendToFile, Delete, ReadFrom, SaveFile, etc.
Is it possible to create similar “file type blocks” to use in Blockly Web?
I have limited programming knowledge, so would appreciate simple answers, please.
Thanks, Pete.
Andrew N Marshall from Google/Blockly has told me this:
"This is absolutely possible ...as long as you willing to work within the browser's security restrictions. The resulting files will be need to be manually "downloaded" one at a time, rather than written directly to the user's file system.
... I would start understanding what JavaScript functions are available to you. Attempt to construct a string and save it via a download dialog...
That means the "file" contents are really just a string in memory, a JavaScript variable. We have lots of "Text" blocks that can do a variety of operations on strings. If those are enough, you'll only need one new block to identify the string variable and initiate the download process.
Otherwise, you'll need to think about what blocks you want, and how they operate. They may operate on a specific variable in the JavaScript VM, not necessary exposed as a variable to Blockly.
Either way, you'll need to learn how to create a block and a Blockly app. We have a code lab that will walk you through all the steps. You'll learn how each block generates a string of code, and in your case, that code will be related to the download code I mentioned earlier."
So I'll press on - I just wanted to be sure my goal is actually achievable before I started.
Thanks, Pete.
In Twig internal documentation we can read that lexer could be changed:
$twig->setLexer($lexer);
My question is: Is possible to extend from Twig_Lexer?
When reading the code I can see most members are private, this makes harder the reuse of members or extending at all. Also the setLexer() from Twig_Environment has a type hint for Twig_Lexer.
What am I missing here ?
Thanks in advance.
As documentation purpose. The answer to this question can be seen in this issue
Basically all extension from internal classes is discouraged and will not be supported in Twig.
I'm looking for something like gulp-html-replace but instead of replacing what's in between the
Will be useful for modifying html documents.
I think you're asking the wrong question. If you have a consistent part (content) present in multiple html documents, you should be using a server side language to generate the html pages. That way you can create partials and modularize them to be included in multiple pages so when you change it once the change can be reflected.
If this is somehow not an option (for whatever reason) you should consider looking at something like handlebars
Also if the content is fairly static, most modern editors will allow you to search / replace in multiple files, there should be no reason to use gulp for what you are describing.
That being said try gulp-inject
The good people of OWASP emphasize that you MUST use the escape syntax for the part of the HTML document you’re putting untrusted data into (body, attribute, JavaScript, CSS, or URL). See OWASP - XSS. Their API (developed by the ESAPI team) subsequently caters for this having encoders for each context:
ESAPI.encoder().encodeForHTML("input");
ESAPI.encoder().encodeForHTMLAttribute("input");
ESAPI.encoder().encodeForJavaScript("input");
ESAPI.encoder().encodeForCSS("input");
ESAPI.encoder().encodeForURL("input");
Subsequently this allows the developer to cater for DOM-based XSS .
So my question is how does GWT's safehtml package cater for this or does it merely focus on HTML encoding?
SafeHtmlTemplates will do it (client-side only though, as it relies on a GWT generator). It'll parse the HTML fragment using a "tag soup" parser, that will infer the context and either log a warning or throw if the argument cannot be used in this context (for instance, it prevents all use of placeholders in script context). This is still in flux though (SafeUri is still in review and SafeStyles is still severely limited) but it'll be there in due time (should be in GWT 2.4 I think).
Otherwise:
SafeHtmlUtils's will escape all of <, >, &, ' and " so the result is safe for "HTML" and "HTML attribute" contexts
SafeHtmlBuilder's various append methods will just call SafeHtmlUtils under the hood
UriUtils provides tools to scrub unsafe URIs (you'll still need a SafeHtmlUtils pass or equivalent afterwards if you're building an HTML string –vs. using the value directly for an image's source or anchor's href–).
SafeStyles doesn't provide anything specific in itself, but SafeHtmlTemplates will only allow it at the beginning of a CSS context, and will log a warning if you try to put anything else in a CSS context. SafeStylesBuilder is expected to be extended with type-safe methods, to help build well-formed CSS.
I've been working on a SafeUri interface, similar to SafeStyles but in a URL context. In due time, SafeHtmlTemplates will only allow a SafeUri or a String as the full value of a URL attribute, passing the String through UriUtils to make sure it's safe.
In brief, I think the answer to your question is: yes, GWT's safehtml package cater for this; but you'll probably have to always use the latest version of GWT (at least for the coming year) to be safe.