I'm trying to fix XSS vulnerabilities across my web application and I'm stuck with jqGrid.
I activated 'autoencode' for all my grids and the documentation says : "When set to true encodes (html encode) the incoming (from server) and posted data (from editing modules).".
My problem is that I don't understand why posted data are encoded. This way I'm getting html escaped text in my database. So this database is no more readable by an other application (or it has to decode all texts), and in addition database search doesn't work any more.
So, is it possible to only encode data retrieved from database and post data as it ?
Currently, I disabled autoencode and added formatter on all my columns to escape all text. Is it the only way ?
You can use serializeEditData (in case of usage form editing), serializeRowData (in case of usage inline editing) or serializeCellData (in case of usage cell editing) to change the data which will be send to the server during editing. To decode the data you can use for example $.jgrid.htmlDecode. You can enumerate all properties of posted data and decode the value of the corresponding property. Alternatively you can use decoding of posted data on the server side. Any technology which you use on the server provide simple method which can be used for decoding. For example in ASP.NET one can use HtmlDecode/HtmlEncode methods of HttpServerUtility.
Related
My Sitecore website is on 7.5. I have implemented a media protection request feature, but I can see too many errors in Sitecore logs saying that:
ERROR MediaRequestProtection: An invalid/missing hash value was
encountered. The expected hash value: Media URL: , Referring URL:
My question is How to handle an image tag in Rich Text field in Sitecore, so that it can handle the media hash automatically?
Since version 7.5 Sitecore introduced a Media Request Protection which is a hash added to assets' URLs. I think that this was a good thing to avoid any kind of denial of service attacks.
On every incoming media request Sitecore calculates the hash of the request query string parameters and compares it with the given hash. If they are equal then Sitecore will perform the needed routine based on the provided URL parameters (for example, image resizing), but if they are not equal then Sitecore will throw a MediaRequestProtection error and send the original file as is.
There is a known issue in Sitecore Rich Text Editor (RTE) with 438674 Ticket Id and "Media request protection is not applied to media in a hyperlink within the RTE" description. Sitecore Support can provide a patch to override the method for rendering media links from RTE fields to also include the hash value. See the reference under Sitecore 8.2 release notes here.
If you don't have any Sitecore Support coverage by now then you can implement a workaround as follows:
Hook into saveRichTextContent pipeline to alter the RTE content before saving. For items that haven’t been modified after the saveRichTextContent pipeline has been introduced you can create a new renderField pipeline for Rich Text field type, but I would rather recommend to stick to saveRichTextContent pipeline approach and simply re-save all items with RTEs containing media assets.
Write your custom code to loop through images within the RTE HTML and modify the image rendering accordingly. Note, that you need to use Sitecore.Resources.Media.HashingUtils.ProtectAssetUrl() method to generate the full URL with the hash added, for example:
string mediaUrl = Sitecore.Resources.Media.MediaManager.GetMediaUrl(yourMediaItem);
string safeMediaUrl = Sitecore.Resources.Media.HashingUtils.ProtectAssetUrl(mediaUrl);
I am developing a series of Slack apps for my workspace, and some of them are meant to interact with the content (messages) delivered by the other apps : extracting content IDs that may be referred to by other messages
A concrete example :
Suppose I have an app A "FindUser" that is capable of giving me the user profile when a slack user types find me#example.com, and it replies in the thread with a formatted view of the user profile
I am developing an app B "EditTags", which basically gives me a right click option with "edit tags" (see Slack's Interactive Components/Actions), the idea being that a user could first ask app A to find a user, and then right click on the reply from App A and click the "edit tags" action given by the other app. What this app B does it actually retrieve the tags for the user mentionned by the previous message from app A, and in another reply to the thread it gives some controls to either delete an existing tag OR it shows a select with autocomplete to add new tags.
The B app needs to retrieve the user ID that the A app mentionned previously. So I need some way to pass that data directly in the slack message. When looking at the examples, slack does not seem to provide a way to add arbitrary "metadata" to a message, am I wrong ? Do you have workaround for this ? I mean I could totally send the user ID say, in the footer, so I can just read the footer, but I was planning to use the footer for something else... Is there a way to pass metadata hrough properties that would be hidden to the end user ?
Although this does not feel relevant, I am building a slack nodeJS app using the node slack sdk (and especially the #slack/interactive-messages package)
For the most part the Slack API does not provide any official means to attach custom data / meta data to messages. But with some simple "hacks" it is still possible. Here is how:
Approach
The basic approach is to use an existing field of the message as container for your data. Obviously you want to pick a field that is not directly linked to Slack functionality.
Some field are not always needed, so you can just use that field as data container. Or if its needed, you can include the functional value of that field along with your custom data in the data container.
For example for message buttons you could use the value field of a button and structure your code in a way that you do not need it in its original function. Usually its sufficient to know which button the user client (via the name field), so the value field is free to be used for your custom data. Or you can include the functional value of your button along with the custom data in a data container (e.g. a JSON string) in that field.
Serialization
All messages are transported through HTTP and mostly encoded as UTF-8 in JSON. So you want to serialize / de-serialize your data accordingly, especially if its binary data. If possible I would recommend to use JSON.
Length
The maximum allowed length of most fields is documented in the official Slack API documentation. e.g. for the value field for message buttons can contain up to 2.000 characters. Keep in mind that you need to consider the length of your data after serialization. e.g. if you convert binary data into Base64 so it can be transported with HTTP you will end up with about 1.33 characters for every byte.
Contents
In general I would recommend to keep your data container as small as possible and not include the actual data, but only IDs. Here are two common approaches:
Include IDs of your data objects and load the actual objects
from a data store when the request is later processed.
Include the ID of server session and when processing the request you
can restore the corresponding server session which contains all data
objects.
In addition you might need to include functional values so that the functionality of the field you are using still works (e.g. value of a menu option, see below)
Implementation
Dialogs
Dialogs provide an official field for custom data called state. Up to 3.000 characters.
Message buttons
For Message buttons you can use the message action fields / value. Up to 2.000 characters. Its also possible to use the name field, but I would advise against it, because the maximum allowed length of that field is not documented.
Message menus
For Message menus you can use the value field of an option or the name field of the menu action.
Usually the value field is the better approach, since you have a documented max length of 2.000 and it gives you more flexibility. However, you will need to combine you custom data with the actual functional value for each option. Also, this will not work for dynamic select elements (like users), where you can not control the value field.
When using the name field note, keep in mind that the maximum allowed length of name is not documented, so you want to keep you data as short as possible. Also, if you want to use more than one menu per attachment you need to include the actual name of the menu into your data container.
Normal message attachments
Normal message attachments do not contain any suitable field to be used as container for custom data, since all fields are linked to Slack functionality.
Technically you could use the fallback field, but only if you are 100% sure that your app is never used on a client that can not display attachments. Otherwise your data will be displayed to the user.
I want to insert an image to database and display it in another page. I am using the PostgreSQL database.
My guide suggests that I insert the image with its file path in the database. When displaying, in place of the src attrib of img tag put the path from database. So can I get any help for this .
Please guide me for this or give me link for similar kind of problem.
(I'm a final year student, and feel that this project requirement is difficult).
Your guide is entirely correct. Part of what you are supposed to be learning is problem solving: how to break a big problem down into many smaller, simpler problems you can solve piece by piece. It sounds like it's hinting at this, but expects you to be able to do that yourself, which is pretty reasonable.
You need to break this down into steps, and do each step in isolation. That's how anything but the most trivial programming task must be done.
(It isn't clear if you want to store the image data in the DB, or just a file system path, by the way, so I'm assuming you want to write the file to the local file system and just store the path in the DB).
Anyway, this should be fairly simple JSP. To display:
One JSP that:
Examines the query parameters for the image ID
Uses JDBC to fetch the associated path of the image on the file system from the database (a simple SELECT using the image ID as a query parameter)
Opens the image on the file system as a binary stream; also stats it to get its size
Sends appropriate HTTP headers eg Content-Type: image/jpeg and Content-Length: image-length-in-bytes to the client
Copies the raw image data from the image input stream to the output stream that sends to the client
Another JSP that generates the HTML and has an <img src="/the/image/jsp?imageid=blah"> link in it.
If you're required to submit just one JSP file, you can combine the two by having the JSP show a HTML page if it doesn't receive any query parameters, and send an image if it does receive an image id as a query parameter.
To insert:
One JSP that displays a HTML form with a file upload link if it doesn't get called with any HTTP POST data
If the JSP does get called with HTTP POST data:
** Issue a JDBC INSERT to create a record for the file in the database, but do not commit
** Access and decode the POST data using the methods provided in JSP
** Extract the desired file name from the form data and open a binary output stream to a file on the filesystem with that name
** Copy the image bytes into that output stream, url-decoding if required (the HTTP POST form handling code in JSP is likely to decode it to a byte stream for you, though)
** Flush and close the output stream
** Commit the transaction with the JDBC INSERT.
You should be able to find numerous examples of both with a quick Google search. If you can't, adapting examples from other programming languages should be easy enough.
For inserting you must think carefully about the error cases. That's a large part of proper programming.
I am intentionally not showing you code examples. You should be able to do this yourself if you're a final year student. You won't know everything you need, but by now you should know how to find out what you don't know when you need to know it. Tutorials. Documentation. Google. Writing test programs to figure things out. Method name autocomplete in NetBeans / Eclipse. Adapting sample code. You've got lots of options.
I have a simple web application in which I make a call to a java servlet using ajax from a jsp page (via post). In the servlet I take data from the database and formulate a JSON and retreive in the jsp page . I then use eval function to parse the json and display the data in the division using the innerHTML property . Somehow, this approach seems to be vulnerable to xss attacks . Can someone provide some pointers on how XSS attck can be prevented in this use case?
This sounds like DOM Based XSS. There are a few ways of preventing DOM Based XSS. Either you have to html encode the data on the server or the client. HTML encoding data in the database should always be avoided because it changes the value of the data and will affect how the data is sorted, ect. XSS is an output problem so it should be solved by the code that is building the HTML, which in your case is JavaScript.
Newer browsers support JSON.parse().For older browsers use json2.js.
You should also properly encode the JSON so values cannot break out of quotes etc. Find a decent json encoder and use that on the server side.
Use jqGrid, how to load the local json request directly data without url, consult ace,
JqGrid whether uncompressed version of the source
I am not sure what do you mean under "decompression" or "uncompressed". If you want use not minimized version of jqGrid you should just include another JavaScript files.
If the data are a string in JSON format you should create the grid using the parameter datastr and the datatype:'jsonstring' (see documentation for more information). If the data are not JSON but an object instead you can use data parameter and datatype:'local' or methods like setRowData. Take in the consideration that the usage of localReader can be required (see Array Data in the documentation).