1,184 questions
3
votes
1
answer
3k
views
Node.js: Sanitize untrusted user input for exec()
Small example, reduced from a REST API node.js app:
const { exec } = require('child_process');
var userInput = 'untrusted source';
var cmd = `/bin/echo "${userInput}"`;
exec(cmd, function(err, stdout,...
- 7,638
0
votes
1
answer
289
views
Best Practice: Enable React Component in User Input
I'd like to allow users of a blog like app written in rails/react/material-ui/mobx to add custom components like polls to their articles. So I'd like to add some kind of button to the article editor ...
- 3,115
2
votes
1
answer
1k
views
How to search and replace from a SafeHtml variable in Angular?
I've a very simple question.
I've a sanitized string and its type in Angular is SafeHtml.
How would be the best approach to search and replace some Html inside this SafeHtml variable?
...
const ...
- 4,157
4
votes
4
answers
3k
views
Are user-uploaded SVGs an XSS risk? How can you sanitize an SVG?
We have a website that allows users to design graphics, and one of the things we support is Scalable Vector Graphics (SVG) files. We want to allow users to upload SVGs, but are concerned with the ...
- 135k
1
vote
0
answers
259
views
Single sanitization callback for multiple fields?
hope everyone is doing good! How can I have a single sanitization callback for multiple fields?
Here is my code
add_action('admin_init','settings');
function settings(){
...
- 127
2
votes
1
answer
6k
views
How do I know my input is being sanitized by express-validator?
I've implemented express-validator and am trying to sanitize an input field where users are searching a particular query.
The test query I'm using is <script>Malicious code</script. As the ...
- 2,012
8
votes
5
answers
19k
views
Sanitizing HTML input
I'm thinking of adding a rich text editor to allow a non-programmer to change the aspect of text. However, one issue is that it's possible to distort the layout of a rendered page if the markup is ...
- 19.7k
0
votes
1
answer
1k
views
How to sanitize input from csv file in Python using re (or a better module?)
My apologies if this is close to a similar question, but I haven't been able to find any useful information on how to sanitize this particular outlier. Hoping someone with more experience can lend a ...
- 598
0
votes
1
answer
2k
views
Sanitization with JOI 10.2 (extend()?)
JOI 10 is used to validate calls against an API. I now want to sanitize many (but not all) of the strings that are contained in the JSONs before validating them, namely filter out certain characters. ...
- 55
8
votes
3
answers
29k
views
How to use JSON Sanitizer at Server Side?
I want to implement the 'JSON Sanitizer' validation as mentioned by OWASP.
My understanding is that this needs to be done in two places:
JSON data (in Request) received from Client or Other Systems - ...
- 6,139
0
votes
1
answer
446
views
Object property value sanitization problem in Angular
I have a class MemberInfo. there is a property which is Photo. Now I would like to create a memberinfo object with property value. the code is below:
let info = new MemberInfo();
info.MemberId ...
- 1,772
6
votes
2
answers
5k
views
Bash sanitize_file_name function
I'm attempting to find a way to sanitize/filter file names in a Bash script the exact same way as the sanitize_file_name function from WordPress works. It has to take a filename string and spit out a ...
- 185
2
votes
1
answer
5k
views
How to Sanitize HTML Received from an API Call in VueJS [closed]
I am looking for a good library and/or best practice in terms of sanitizing html that is returned from an api call in a vuejs app.
Any suggestions?
Thanks.
- 7,131
9
votes
3
answers
23k
views
Angular 2 disable sanitize
I am trying to render base64 string into <img src='data:image/png;base64,${Here}'.
But always when I try to render it, ng2 sanitizing my base64 string before rendering it adds something into my ...
- 4,786
3
votes
3
answers
317
views
Is it legal to cast a function to a pointer to a function of various kinds per C standard?
I analyzed some source code written in C and found the following code snippet:
#include <stdio.h>
struct base_args_t {
int a0;
};
struct int_args_t {
struct base_args_t base;
int a1;
};
...
- 531
0
votes
0
answers
337
views
how to sanitize any request or any page
i `m bulding a web app and i want to make sure that no one input a html or script tags so i use sanitize packacge but how to apply it on each input ?
i wonder what is the easiest way to sanitizeHtml ...
2
votes
1
answer
739
views
Extracting country information from description using geograpy
PROBLEM: I want to extract country information from a user description. So far, I'm giving a try with the geograpy package. I like the behavior when the input is not very clear for example in Evesham ...
- 1,372
1
vote
2
answers
3k
views
Allow HTML comments in DomPurify
I would like to use DOMPurify to sanitise some HTML content, but I'd like to preserve the HTML comments. Is that possible?
You can see what it does in this example - if you enter markup with a ...
- 5,724
3
votes
1
answer
7k
views
How to prevent html injection in Angular 5
I want to prevent users to enter html injection to textbox. I have researched some example but they are generally about allowing html tags through pipes and saying angular automatically sanitizes html ...
- 787
0
votes
5
answers
554
views
Sanitize filepath string and only allow 1 trailing slash at the end
I need to remove non alphanumeric characters except _ (underscore) and - dash and only one / (forward slash) from the end of a string.
$string = 'controller_123/method///';
or
$string = '...
- 711
1
vote
1
answer
558
views
NodeJS spawn does not escape bad strings
I want to download a url in a remote host using ssh, i was using exec(), it was working:
const cmd = `mkdir -p /home/username/test; wget --no-check-certificate -q -U \"\" -c \"${url}\&...
- 395
-1
votes
4
answers
13k
views
How to validate and sanitize array of data in php?
I want to validate and sanitize data which comes from POST array.
My POST data is something like this:
Array
(
[category_name] => fsdfsfwereq34
[subCategory] => Array
(
...
- 2,966
1
vote
5
answers
81
views
Find value in a column of a 2d array when non-digital characters may interfere
I have an array that contains phone numbers in different format:
$myArr = [
['122-33-2222'],
['(122) 433-5555'],
['122 644.8888']
];
I need to check if another number is in that array. I ...
- 12.6k
1
vote
0
answers
4k
views
sanitize-html vs encodeURIComponent URL to prevent Reflected XSS attack in Javascript
I want to prevent my app against Reflected XSS attack caused by passing scripts in url like :
https://www.myapp.com/profile/?year=2020<script>alert('Boo!');<!--
What would be the best way to ...
- 11k
0
votes
3
answers
995
views
Remove keys and double quotes from a JSON-encoded string
I'm trying to change an array format from this
{"updated":"2016-01-28 02:00:02","rate":"0.1898"}
to this
[2016-01-28 02:00 , 0.1898]
I'm getting the first ...
0
votes
1
answer
145
views
Receiving dangerous URL error with sanitization
I have an Angular template that loads an iframe with a dymanic URL. Despite sanitizing the URL, I'm still receiving the error:
ERROR Error: Required a safe ResourceURL, got a URL
What am I missing?
...
- 6,814
1
vote
1
answer
3k
views
How can I sanitize a string while maintaining all non-Latin alphabet support
Generally, I would strip all characters that are not English using something like :
$file = filter_var($file, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH );
however, I am ...
- 10.6k
1
vote
3
answers
59
views
Remove literal \r\n sequences if they are not preceded by a dot
I have the following string
$text =" Wireless sensor networks (WSNs) enable new applications and
require\r\nnon-conventional paradigms for protocol design due to several
constraints. Owing to ...
- 35
0
votes
1
answer
3k
views
Can code injection in Lua be performed with just a variable definition?
Assuming I define a variable like this in Lua
local input = "..."
Where the ... comes from a user-provided string. Would that user be able to perform code injection just from a variable definition? ...
- 1
2
votes
2
answers
149
views
Keep only the last two elements of every row of a 2d array
I have a PHP array
Array
(
[0] => Array(
[0] => 24
[1] => 1
[2] => 0
[3] => 4
)
[1] => Array(
[0] => 2
[1] => 23
...
- 89
2
votes
1
answer
483
views
Convert hash into SQL conditions
I am in the process of upgrading my Rails app from 4.1.16 to 5.2.3.
I want to convert a hash into the string of SQL conditions( From { :name => "foo'bar", :group_id => 4 } to name='foobar' and ...
- 1,447
1
vote
1
answer
613
views
Is there any special input that can break the input() function in Python 3?
Let's say I'm making a cat program, where I intend to take the user's input using input(), store it as a string for later use, then output the string (for simplicity, let's say it just prints it).
Is ...
- 301
1
vote
1
answer
827
views
Sanitizing user inputs when the user input is a schema name in node postgres
I am using https://node-postgres.com/ to write a fairly simple application, but I do have a complex constraint that has caused me issues. Namely, I need my SQL statement to select a schema based on ...
21
votes
4
answers
8k
views
Sanitize user defined CSS in PHP
I want to allow users to use their own stylesheets for thei profiles on my forum, but I'm afraid of possible security vulnerabilities. Does anyone have any tips for sanitizing CSS?
Basic process: ...
- 21.2k
0
votes
1
answer
533
views
Invisible characters are disrupting strpos(); how can I sanitize the strings? [duplicate]
It seems like I'm having an issue with strpos()
For some reason, it's always returning false when it should not.
This is where the issue occur :
if ( strpos( $attachment_url, $upload_dir_paths['...
- 1
6
votes
1
answer
461
views
Angular HTML string - rename attributes
I have a HTML string like
<span class="diff-html-changed" id="1" changes="MyText" >test </span>
and I want to display the text as html. I include it like
displayedContentInTemplate: ...
- 5,401
11
votes
5
answers
6k
views
PHP Santizing/Validating Array of Integers
I have the following array and would like to know what the best way would be of validating and santizing this array to make sure only integers are allowed?
if(is_array($_POST['taxonomy'])) {
$...
- 1,395
9
votes
4
answers
1k
views
to_sentence and html_safe, together?
Here's the string I want:
<a href="/pugs/1-baxter">Baxter</a> and <a href="/pugs/2-sofia">Sofia</a>
Here's the code I'm using to output that:
<%= @pugs.collect {|p| ...
- 25.5k
0
votes
1
answer
2k
views
Sanitize Wordpress Metabox Fields (POST array) - The right way
I´m working on a wordpress plugin with Metaboxes. The plugin got rejected because of the Sanitize of metabox fields.
My save_fields function
public function save_fields( $post_id ) {
if ( ! ...
- 1,512
0
votes
1
answer
426
views
Is it safe to echo formatted DateTime in php in terms of XSS attack?
I have quite a complex web application. I need to sanitize all variables that are sent to view (MVC architecture) with the htmlspecialchars() function to prevent XSS attack. Since it isn't just ...
- 131
5
votes
1
answer
4k
views
sanitize_sql_array in Rails 4
In a Rails 3 model you used to be able to do:
query = self.sanitize_sql_array(["SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=? AND created<=? GROUP BY month ...
- 429
-1
votes
1
answer
690
views
Sanitize url in an object rather than single url
I have an object having success, summary and detail elements used for displaying message in PrimeNG message (p-messages) after record is created. After record is created I call displayMessage method ...
user5871859
1
vote
1
answer
963
views
Why does filter_var() encode quotes differently than htmlentities()?
Why does filter_var()'s FILTER_SANITIZE_STRING filter encode single quotes as ' and double quotes as " while htmlentities() encodes single quotes as ' and double quotes as &...
- 805
2
votes
1
answer
1k
views
How to save data in database safe in laravel 5.1?
I won't have a Comment Form that anybody can fill it, and the input data will be inserted in the database after a validation:
<?php
namespace App\Http\Controllers;
use App\comments;
use ...
- 949
7
votes
1
answer
9k
views
How to make a Jsoup whitelist to accept certain attribute content
I'm using Jsoup with relaxed whitelist. It seems perfect but I would like to keep the embedded images tags like <img alt="" src="data:;base64.
Is there a way to modify the whitelist to accept also ...
- 645
1
vote
1
answer
3k
views
Format phone number to be valid E164 format using libphonenumber-for-php library
I want to check that an entered phone number is a valid E164-formatted phone number; if not, then convert it to proper E164 format.
- 187
-1
votes
1
answer
561
views
What characters can't come as the very last character of a url?
I am trying to get all url links from a text in Python. Say this is the text:
Go to google.com, and then follow the instructions.
I can use string.split() and then check each word one by one. But, it ...
1
vote
3
answers
2k
views
Remove the non-numeric prefix from array elements before using array in a database query's IN() condition
I have following array result :
Array (
[0] => company_1
[1] => company_10
[2] => company_15
)
I want the result something like this as I can use in the mysql IN query clause:
$...
- 991
0
votes
1
answer
492
views
Angular - Struggel with sanitization of Image URL
I try to Sanitize a Image URL but i will not work for me...
This is my code
home.component.ts
constructor(public dialog: MatDialog, private route: ActivatedRoute, private sanitization : DomSanitizer)...
- 133
1
vote
0
answers
215
views
Should I sanitize a text from a contact form before sending it to my email?
I have a contact form on a React app. When the user sends the message, it hits a /contact route on my node server. This route calls a MailService, that dispatches the text to my own gmail address.
It ...
- 6,427