Best regex to catch XSS (Cross-site Scripting) attack (in Java)?

Jeff actually posted about this in Sanitize HTML. But his example is in C# and I'm actually more interested in a Java version. Does anyone have a better version for Java? Is his example good...

Is it possible to make XSS attacks through html comments with JSP code inside?

Is it true that following code adds a XSS vulnerability to some JSP page? <!-- <%=paramName%>=<%=request.getParameter(paramName)%><BR> --> It looks like a "leftover debug" and definitely...

Does https secure cookies prevent XSS attacks?

Does https connection secure cookies and prevents XSS attacks. I have a simple blog that allows users to enter JavaScript code as an input. I want to allow Javascript input by the user while still...

What is the threat model for the same origin policy?

http://en.wikipedia.org/wiki/Same_origin_policy The same origin policy prevents a script from one site talking to another site. Wiki says it's an "important security concept", but I'm not clear on...

Retrieving element IDs from external web pages

I am trying to get a web page to print an element ID that has been clicked on (using an alert for now). However, the web pages will be external sites (Google for example). I have tried this with a...

Sanitizing Input in ASP.NET MVC Application

I have an MVC app with a Service layer and I'm trying to figure out how to sanitize all inputs without going insane. I have validation under control - field-length, data-types, and other...

Alternate Solution for setJavaScriptEnabled(true);

I have developed an Android Application which uses Webview Component. I have used following line into my code, webViewScores.getSettings().setJavaScriptEnabled(true); Due to this line it is...

Is it possible to detect the user click event in the popup window?

I can detect the user click event in the popup window if the current url and popup url is in same domain using the following code: var myWindow = window.open("abc.html","MsgWindow",...

301 curl does not show without -v

I was looking at the 301s that several 2.level domains use to redirect to their www 3.level domain, and I thought curl on its own was enough, for example curl myvote.io <HTML><HEAD><meta...

Haskell How to count and group strings in a list

I am learning haskell and need some help in figuring out logic for this function. I only want to do the problem using functions in standard prelude and recursion if possible. So I have a list of...

Xss cross-site-scripting in practise

I know xss attack usees input points of a page to insert javascript code into the page or into server db. In both cases the javascript code will be activated soon or later on some events. I ...

Thymeleaf + Spring : How to keep line break?

I'm using Thymeleaf template engine with spring and I'd like to display text stored throught a multiline textarea. In my database multiline string are store with "\n" like this :...

How and where to store access token securely

I know this question has been asked many times but frankly I have not seen an answer that satisfies the criteria I have. So I have a ASP.NET WEB API that issues an access token (JWT) when...

Handle ResourceNotFoundException, message not good

I use spring boot and I start to manage error. I create an exception handling to treat resources that are not found. @ControllerAdvice public class RestResponseEntityExceptionHandler extends...

robobrowser won't change cookies

I have a post request sent to server from robobrowser and server responds with no data but response headers as following (this is the response from chrome browser and it's the way it supposed to...

How to create a function that creates a Cartesian product Iterator from an Iterator of Iterators?

If I want to create a Cartesian product of a list of lists in Haskell, I can do this: product [] = [[]] product (xs:xss) = concatMap (\k -> map (k:) (product1 xss)) xs or even this: sequence...

Modify <meta> tag with JS (chrome extension) on response receiving

I have a Chrome extension that adds a panel to the page in the floating iframe (on extension button click). There's certain JS code that is downloaded from 3rd party host and needs to be executed...

How to implement authentication in Next.js

I am new to Next.js and I am struggling with the authentication system using jwt token. I want to know what is the best / standard way to store the jwt token and routing with the authentication...

Java program failing to map Native memory allocation

Java program failing to allocate Native memory even after enough RAM is available. The program crashes repeatedly after failing with os_commit exceptions. Any recommendation to update to tune Java...

How do I protect against XSS/Injection when using jquery.append?

I'm making a javascript code editor for users on my site. One of the features I built was a custom console. Users can write console.log in their code and the logged string gets appended to a div...

Sanitize an input request param from XSS attack

I am working on securing the input request params to my application from XSS attacks. I came across the owasp cheat sheet for securing against XSS attack. I am following the instructions on ...

How to prevent XSS attacks or untrusted data in Rest API JSON using Java?

I had developed a Rest API application and have handled Authentication and Authorization using custom JWT. I want to further make the application secure from XSS attacks or validation for...

NginX fails to pass of POST request body when proxying requests to an Express backend from static bundle

I am running an NginX server hosted on a Digital Ocean Droplet at 'pocket-caravan.com'. The goal was to build the react bundle which would link to all css/js/images and use nginx to handle serving...

Springboot HttpMessageNotWritableException: No converter for [...] with preset Content-Type 'null']

I try create web API with XML and JSON with Springboot 2.2.4.RELEASE + JDK11 and java 8 compilation. my model: @XmlRootElement public class DataModel { private List<String> columns; ...

How worried should I be about opening up a JWT to an XSS vulnerability?

I am building a node.js web application with react for the the GUI and graphQL served with Apollo for the back-end connecting to a RDS (MySQL) instance on AWS. I am authenticating users and then...

This document requires 'TrustedScriptURL' assignment

After adding require-trusted-types-for 'script'; in my Content-Security-Policy header, which introduced from Chrome 83 Beta to help lock down DOM XSS injection sinks, when I open my website, it...

Parsing in JS gets me a SyntaxError: JSON.parse: unexpected character

An error pop out when I try to parse a JSON object (or at least I guess it should be an object since there's "content-type": "application/json in the response's header). Here is the full error...

Why Nuxtjs Axios Proxy is not working on server?

I'm struggling for few days to find a solution. It seems that my nuxt/axios proxy configuration are not taken into account when my site is on production. Locally everything is working fine but...

Adding HTTP headers for security using .htaccess breaks images on WordPress site

When I add this code in my .htaccess file. All my headers are secured but then my images are not working. After removing this code Images working perfectly. Is there any suggestion for me to...

What does =_= mean in JavaScript or HTML?

Reading this XSS cheat sheet, I noticed a special usage I have never seen: <img src="/" =_=" title="onerror='prompt(1)'"> What does "=_=" mean? It's below the sentence "On Mouse Over​".