1,184 questions
0
votes
1
answer
337
views
How to sanitize input of the Spring Boot Rest controller as per snyk
I have a microservice with Spring Boot which has a lot of API endpoints. My devops team recently applied Snyk scan for the Jenkins build which is preventing API deployment due to following error:
...
- 5,289
0
votes
0
answers
91
views
How to override Specific CMSParagraphComponent in SAP Spartacus and inject custom styles/scripts from CMS?
We're using SAP Spartacus as the frontend and fetching dynamic content from SAP Commerce Backoffice. Our CMS team is managing FAQ-style content using the CMSParagraphComponent.
Problem:
The content ...
- 25
0
votes
0
answers
83
views
Sanitize HTML input in a C# class attribute
If one wishes to sanitize HTML input, he has to use a library like HtmlSanitizer. Example:
var sanitizer = new HtmlSanitizer();
var sanitized = sanitizer.Sanitize(model.htmlInput);
Is it possible to ...
- 156
0
votes
0
answers
39
views
How to fix "Client Potential XSS\Ruta"?
I’m working on an AngularJS project, and after running a security scan with Checkmarx, I’ve encountered the following XSS vulnerability:
"The in the application embeds untrusted data into the ...
0
votes
0
answers
51
views
For safety, is it enough to check whether user input conforms to an expected value? Or do I need to escape it before output anyway? [duplicate]
Is it enought to check whether user input conforms to an expected value, before I embed it into executed code? E.g.:
$fruits = array(
"Orange",
"Banana"
);
if(isset($_GET['...
- 821
0
votes
0
answers
61
views
Strapi meilisearch leaks user data
I've got a project running strapi v4 using meilisearch and instant-meilisearch in the frontend.
In my backend I've go a model called car-model which has a n:m relation to a users-permissions user. ...
1
vote
1
answer
104
views
Safe eval() by explitily whitelisting builtins and bailing on dunders? [duplicate]
I know it's inadvisable to use eval() on untrusted input, but I want to see where this sanitiser fails. It uses a whitelist to only allow harmless builtins, and it immediately bails if there are any ...
- 115
0
votes
0
answers
68
views
Dompurify Error: src/app/common/util.ts:3:8 - error TS1259: Module can only be default-imported using the 'allowSyntheticDefaultImports' flag
I am using Angular 17 and while running the build I am getting an error stating
Error: src/app/common/util.ts:3:8 - error TS1259: Module '"/usr/src/app/node_modules/dompurify/dist/purify.cjs"...
- 11
1
vote
1
answer
566
views
How can I suppress sanitizer errors from member functions in GCC?
I'm compiling code on an Ubuntu system with GCC 11.4.0 with -fsanitize=thread.
I am getting some sanitizer errors from external libraries called from my functions. I have read that I should be able to ...
- 4,764
0
votes
3
answers
127
views
Remove consecutive duplicates of a specified value from a 2d array
As part of a larger project, I'm receiving arrays in a form similar to this:
$out = array(
'2011' => ['Out', 'arrv'],
'2012' => ['Out'],
'2013' => ['Out'],
'...
- 148
0
votes
0
answers
311
views
RDKit- How can we print problematic molecules and their issues together?
I got the error messages using RDKit.Chem.
[14:21:42] Can't kekulize mol. Unkekulized atoms: 3 5 6 7 9 10
[14:21:42] Can't kekulize mol. Unkekulized atoms: 3 5 6 7 10 11
[14:21:48] Explicit valence ...
0
votes
0
answers
79
views
Wordpress not sanitizing double quotes in image alt text text fields causing pages to break
Currently, when users put double quotes in the alt text field for an image in the media library or within the ACF edit window, those quotes get saved to the database within the alt field and rendered ...
0
votes
0
answers
83
views
Am I sanitizing the input properly in my functions.php?
I am creating a WordPress website, using Divi Builder for the design + some PHP for additional functionality in the back-end. Right now I am developing custom Divi modules, whose purpose will be to ...
- 39
1
vote
0
answers
320
views
Most strict DOMPurify configuration?
I used the default DOMPurify (https://github.com/cure53/DOMPurify/tree/main) configuration for input sanitization in JavaScript, but noticed that tags like "h3" are allowed. I was wondering ...
- 187
2
votes
2
answers
125
views
How to restrict user from running queries that change data
I have a large Java based application that uses connection pooling to access the underlying database for all sort of CURD and reporting operations. The application also provides a database query ...
- 2,225
-1
votes
1
answer
127
views
When sanitize/encode while implementing tags system like on SO
In my development I have a tag system that closely matches the one SO has. And it also allows non-Latin characters.
User can enter new tag and it is saved to the DB.
Existing tags are shown to the ...
- 19.4k
0
votes
1
answer
97
views
How to sanitise request body in spring boot if some attributes contain these values
Is there any library available to encode these if present as values eg. can be html attributes, js events, scripts, expressions evaluating to true? Though it should escape values like ">50000&...
- 43
2
votes
0
answers
549
views
Checkmarx Scans Won't Recognize Any Sanitization Methods in Node/Express
I have a Node.js Express app and I'm running a Checkmarx scanning tool on it. It is flagging things like request.path and request.url and saying that "The element's value flow through the code ...
- 2,936
-1
votes
4
answers
607
views
Why doesn't preventDefault() of an input event stop changes to the value of a form element
This question has been asked and answered before; none of the previous answers given here seem to fix my situation. Therefore I need to ask, once again, why isn't the event prevented correctly?
...
user17093173
0
votes
0
answers
274
views
Securely validating/sanitizing user input when using SQL Server's CONTAINS() predicate
I've got a table in SQL Server with a full-text index on an NVARCHAR column, and I want my website's users to be able to search through the table for data that matches their search string. I want to ...
- 45
0
votes
0
answers
250
views
Does user data need to be sanitised before running console.log?
I have a NodeJS backend that receives some user data which will be stored in a database. Currently it is not being sanitised anywhere.
Are there any risks in writing it directly to the console with ...
- 130k
0
votes
0
answers
229
views
I am looking for a way to stop html injection
If I send the request like <img src = "1"/>, it seems it does not work in this
case. I am using owasp policy factory sanitizer.
Can you describe the issue and how can I fix it ?
...
1
vote
2
answers
471
views
Strange characters in (invalid) json string from post request (encoding issues)
I am trying to get data from a post request using the following line :
$data = file_get_contents('php://input');
The json string might be like: {"test" : "test one \xe0 "}
The ...
- 65
1
vote
0
answers
379
views
How to verify the nonce in WordPress if the request is from a link in the menu?
I have a plugin that has a submenu. For example: Dashboard, List of recent questions, Settings, Support.
The submenu is added using the add_submenu_page function.
add_submenu_page(
'my-...
- 11
0
votes
1
answer
126
views
Remove all attributes not in whitelist from all HTML tags
So, far I can only keep one attribute but I am trying to keep both class and id attributes left in the HTML tags
Code:
$string = '<div id="one-id" class="someClassName">Some ...
- 19
0
votes
0
answers
363
views
Is my site vulnerable to a XSS attack if it has no back-end code?
I have a website where I want people to be able to input a number into an input box (tag iteration of sel) and it is taken and multiplied with a preset value stored in a tag with the class "value&...
- 1
0
votes
1
answer
347
views
jsoup.clean replaces single quotes with double quotes. How can I prevent that?
For our application, we allow the user to enter HTML, that later is displayed for other users.
For security reasons, we sanitize this HTML and do not allow the user to save HTML, that might not be ...
- 1
1
vote
2
answers
74
views
Extend class and return object with same methods as parents but different constructor
I'm trying to extend a class from an external library that contains methods which use its constructor in the input before starting any operation since it can have multiple types. I want to create a ...
0
votes
1
answer
802
views
Sanitizing HTML from Form Input not working (symfony6.3 php 8.2)
Trying to implement a form that sanitizes html input according to
https://symfony.com/doc/current/html_sanitizer.html#sanitizing-html-from-form-input
but I cannot make it work properly.
Here is my ...
- 439
0
votes
1
answer
1k
views
Do I need to sanitise TIPTAP text editor in nextJS?
do I need to sanitise TIPTAP text editor with nextJs? If so, what sanitiser is best with nextJS and TIPTAP text editor?
- 5
0
votes
1
answer
494
views
How to use Sanitizer API in React?
I need to sanitize an HTML string before sending it to the backend and I'm trying to use the Sanitizer API mentioned in the Mozilla documentation. So I've created the following method in my React ...
- 6,759
1
vote
0
answers
145
views
sanitizeHtml with marked doesn't render special characters correctly (& is & and then &amp)
I'm trying to render user input using SvelteMarkdown (that uses marked).
The steps are:
user input is sanitized using sanitizeHtml
sanitized user input goes to SvelteMarkdown to be rendered in html
...
- 18.9k
0
votes
1
answer
161
views
getting rid of bold characters in a filename
mysql recently reported me the following error: [HY000][1366] Incorrect string value: '\xF0\x9D\x98\xBD\xF0\x9D...' for column 'name'
after investigation, I found that the value with weird characters ...
- 2,210
1
vote
0
answers
531
views
Create anchor link from location.pathname and sanitise data
Hi I'm trying to generate breadcrumbs from the contents of window.location.pathname, everything works well except when I run the code through Veracode it's complaining that the input is untrusted.
I ...
- 320
1
vote
1
answer
595
views
Angular DomSanitizer replacing new line characters on textarea fields
Is Angular's DomSanitizer just a glorified text-replacer? If it is, I'd like to know if it's feasible to implement my own sanitizer, because the Angular one is replacing special characters like "&...
-1
votes
2
answers
1k
views
Can't Edit or View Magento Products | Argument #1 ($meta) must be of type array, null given in /
Migrated from Magento 1.9.2.1 to 2.4.6 and everything went smoothly, the problem begins when trying to view the product in the backend (nothing appears in frontend), I get a type error and unsure on ...
- 1
0
votes
1
answer
162
views
How to safely assign untrusted input to CSS custom properties without JavaScript?
Let's say I have an object of string keys and string values, and I'd like to write these as CSS custom properties to some HTML generated by the server. How could I do so safely?
By safely I mean that
...
- 12.9k
0
votes
0
answers
153
views
Sanitise user inputs for injection into Curl CURLOPT_USERPWD values
This might sound a little obscure, but in a nutshell I'm building a sort of middleman wrapper API endpoint which uses HTTP basic auth but validates the user submitted auth credentials by re-using them ...
- 498
0
votes
0
answers
242
views
Replacement for innerHTML javascript -security vulnerability
From the standpoint of Security vulnerability, is there any solution for replacing innerHTML
example
td.innerHTML = "<b>"+change_obj["old_end_cust_id"]+"</b>,&...
- 26
1
vote
1
answer
218
views
Update content injected via "innerHTML" in Angular
I'm working on an application that has the following infrastructure:
Headless Wordpress used as primary DB
Node.js application used as middleware/backend
Angular for the frontend
I'm in a situation ...
- 187
0
votes
1
answer
722
views
Sanitizing email addresses: filter_var() / FILTER_SANITIZE_EMAIL vs htmlentities()
If a user enters an email address (and it validates), I think I am correct that it, in common with all user entered data, should be sanitized before outputting it in HTML in case the email address ...
- 1,467
4
votes
5
answers
6k
views
Best practice when sanitizing HTML form user input in PHP / CodeIgniter 4 [duplicate]
I have a simple app programmed in PHP using CodeIgniter 4 framework and, as a web application, it has some HTML forms for user input.
I am doing two things:
In my Views, all variables from the ...
- 237
0
votes
2
answers
2k
views
How to Sanitize PDF with a opensource Java tool ( like PDFBox)? [closed]
I am trying to enhance security of a file upload segment in Spring based web application.
It uses a antivirus to do virus screening before upload, However it is additionally required to sanitize the ...
- 29
1
vote
1
answer
81
views
Apostrophe changes after sanitizing word
package main
import (
"log"
"github.com/microcosm-cc/bluemonday"
)
func main() {
c := "hello doesn't work 😖"
p := bluemonday.UGCPolicy()
log.Println(p....
-1
votes
2
answers
1k
views
convert String to json object with wrong string
I have String like
"[{'techid':'0128','daPoints':3,'speedingPoints':3,'fleetInspectionPoints':3,'lofPoints':3,'missedTrgModules':null,'fullName':'MANPREET SINGH','safetyInspectPoints':3,'...
- 1,850
-2
votes
1
answer
1k
views
How to sanitize input field in jQuery script
I would like to sanitize the form fields before sending the ajax request to increase security. Currently my Javascript code is this:
jQuery(document).ready(function($) {
$('#login-form').submit(...
- 343
-1
votes
1
answer
61
views
Wp List table short data sanitizatio error
This is really not sanitized:
How to sanitize it?
Here is my full class which i have tried, but WordPress team still said its not properly sanitized.
And ## Unsafe SQL calls
When making database calls,...
1
vote
0
answers
1k
views
How to properly sanitize user input in WordPress search form: get_search_query()
I am attempting to sanitize user input for a search form that I am building in WordPress (in searchform.php file).
I used a built-in WordPress function, sanitize_text_field():
function ...
- 23
0
votes
1
answer
487
views
How do I sanitize meta box contents to prevent XSS attacks?
I know how to sanitize metabox content like
<img src=x onerror=console.log(hey) />
But how about the following?
<img src=x onerror=console.log(hey)<img src="x" />
Tried the ...
- 1
1
vote
2
answers
126
views
Would this function work for generally sanitizing db query variables?
I know most people say to just use prepared statements, but I have a site with many existent queries and I need to sanitize the variables by the mysqli_real_escape_string() function method.
Also the ...
- 4,163