On all our websites, we have implemented GSA for search functionality. Recently, the search term has been scanned for cross site scripting vulnerability. I know we can use JavaScript to validate the search term before sending the query to GSA. But I am not sure how many places, we need to implement this.
Is there a way we can do this directly on GSA?
You should follow the OWASP guidelines for XSS prevention.
As a rule of thumb, never output content on the page that hasn't been encoded.
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Related
In the slack UI, when I make a search, it makes a request to the search.modules endpoint. There's also the option to exclude apps and bots from the result, which translates to a boolean POST param to that api endpoint.
https://api.slack.com/methods doesn't list such a method, and only has search.messages, search.files, and search.all.
How can I use the API to search, but exclude bot accounts? Do I need to leverage this seemingly hidden search.modules (which probably is inaccessible with a bot acct)? Is there a better way than making a list of bots and manually filtering them out of search results?
Well it's not in the documentation anywhere, but I can achieve this with the search.messages api by adding search_exclude_bots=True to my POST data.
Since this is undocumented, I'm curious as to whether users should be using this param and if it will be changed in a breaking way in the future.
So basically, I have a spring API with MySQL database and I need to be able to perform search of a user by his name in front-end web app which is using my API. The trick is that I need a kind of google search so by typing, lets say, 3 letters, list of all users who's name starts from these 3 letters would be returned from the API to the web app. By typing or deleting any letter, list should change dynamically.
My question is how can implement this kind of "dynamic" search in my API. What should requests look like? What should the whole architecture of the process in the API look like?
There are a number of ways to pull this off. Coding this in your API is probably going to be the least efficient. I would recommend using SOLR or Lucene to index the data you want to search on. Your front-end will have some JS that will update your list when characters are entered or deleted in the text field.
JQuery provides a plugin that might be just what you're looking for from the UI.
https://jqueryui.com/autocomplete/
I'm new to web API design, so I've tried to learn best practices of web API design using these articles:
1.Microsoft REST API Guidelines
2.Web API Design-Crafting Interfaces that Developers Love from "Apigee"
Apigee is recommending web API developers to use these recommendations to have better APIs.
I quote here two of the recommendations:
I need C# code for implementing these recommendations in my Web APIs (in ASP Core) which is a back-end for native mobile apps and AngularJs web site.
Sweep complexity behind the ‘?’
Most APIs have intricacies beyond the base level of a resource. Complexities can include many states that can be updated, changed, queried, as well as the attributes associated with
a resource.
Make it simple for developers to use the base URL by putting optional states and attributes behind the HTTP question mark. To get all red dogs running in the park:
GET /dogs?color=red&state=running&location=park
Partial response allows you to give developers just the information they need.
Take for example a request for a tweet on the Twitter API. You'll get much more than a typical twitter app often needs - including the name of person, the text of the tweet, a timestamp, how often the message was re-tweeted, and a lot of metadata.
Let's look at how several leading APIs handle giving developers just what they need in
responses, including Google who pioneered the idea of partial response.
LinkedIn
/people:(id,first-name,last-name,industry)
This request on a person returns the ID, first name, last name, and the industry.
LinkedIn does partial selection using this terse :(...) syntax which isn't self-evident.
Plus it's difficult for a developer to reverse engineer the meaning using a search engine.
Facebook
/joe.smith/friends?fields=id,name,picture
Google
?fields=title,media:group(media:thumbnail)
Google and Facebook have a similar approach, which works well.
They each have an optional parameter called fields after which you put the names of fieldsyou want to be returned.
As you see in this example, you can also put sub-objects in responses to pull in other information from additional resources.
Add optional fields in a comma-delimited list
The Google approach works extremely well.
Here's how to get just the information we need from our dogs API using this approach:
/dogs?fields=name,color,location
Now I need C# code that handles these kind of queries or even more complex like this:
api/books/?publisher=Jat&Writer=tom&location=LA?fields=title,ISBN?$orderBy=location desc,writerlimit=25&offset=50
So web API users will be able to send any kind of requests they want with different complexities, fields, ordering,... based on their needs.
I am looking to test different traffic patterns within Google Analytics (Direct traffic abnormally high). I was curious if anyone knows how to create an event that fires when source =wildcard To make this event more difficult, this would be set up within Google Tag Manager using Universal Analytics.
I see the 6 event tags but none of them sounds like it would perform my need?
Thanks
Google Tag Manager is not a tracking tool and knows nothing about the traffic source, so no preconfigured macro could be used in a rule to fire tags depending on source.
If you use "classic" asynchronous analytics you can set up a macro that reads the _utmz-cookie and checks in a rule if it contains a source string ("direct","cpc" etc.).
However Universal Analytics determines the traffic source on the server and does not store it clientside, so with UA this would not work.
A few traffic sources are easily recognizable on the respective landing page:
If no referrer is present it's a direct visit/bookmark
if there are campaign (utm) parameters in the url you can use those
if there is a gclid parameter in the url you know it google/cpc
if the referrer is a google domain with a country tld and the parameter "q" is present (will be empty with encrypted search but should still be there) it's an organic google search
if the referrer is a bing domain with the parameter q present it's an organic bing search (and similar for other search engines)
However this will only work on landing pages. You need to write you own cookie to store the source for subsequent pages.
You can refine this approach to give rather similar results to Google Analytics but it will never match perfectly.
One of the most common reasons for abnormal high direct traffic is that no campaign parameters are present in paid traffic, either because you forgot to enable autotagging in your adwords campaigns or because you have redirects that strip out campaign parameters (so paid traffic is lumped together with direct). The above approach would not help you to discover this so I suggest you check this manually first before you do anything else.
In Google Image Search (the web interface) you can restrict your search results by a single domain. It appears that the same rule applies to the API (http://code.google.com/apis/imagesearch/v1/reference.html#_methods) but as far as I know, the "one site" rule isn't documented anywhere (other than never mentioning multiple sites).
Does anyone know if it is possible to restrict a search across two or more domain names via the web interface OR the Image Search API?
This is not supported. The Google Image Search API is also being deprecated, so it would be best to search for alternatives anyway.