code-injection

问题 I'm writing a JavaScript to inject a new CSS rule into pages in Android browser in order to display some text in a custom CSS font (after some replacement). Here is how I tried to inject the CSS rule: var css = '@font-face {font-family:"font"; src:url(http://www.example.com/font.ttf);} si{font-family:"font"}'; if(document.getElementsByTagName("style")[0]){ var style = document.getElementsByTagName("style")[0]; } else { var style = document.createElement("style"); style.type = "text/css";

问题 I need to prevent cross-site scripting (XSS). How can I validate that it isn't cross-site script? The issue is with my "url" BBCode. function bbcode($input) { $search = array('/\[a url="(.+?)"\](.*?)\[\/a\]/is'); $replace = array('<a href="$1" style="color: #337ab7; text-decoration: none" target="_blank">$2 </a>'); return preg_replace($search, $replace, $input); } bbcode([a url="javascript://hello.com/%0Aalert(%27s%27)"]XSS[/url]); The code above is an example of what happens. When you click

问题 This question already has answers here : How to sanitze user input in PHP before mailing? (5 answers) Closed 6 years ago . Hello I have build a email form and I like to know if it is build in a secure way. I have read the article How to Prevent Email Injection in Your PHP Form to Mail Scripts and applied it to my script. Now I like to know if the variable $to and $bcc are save. function sendmail($to,$subject,$message,$bcc=NULL){ //Prevent Email Injection in Your PHP Form to Mail Scripts if (

问题 I posted a question on a similar topic a couple days ago (and one a couple years ago), but I decided to go ahead and get started. I am trying to inject C++ code into C++ code (in a somewhat portable manner using no os specific features and trying to be compiler/toolchain independent manner). I basically want to do this in an attempt to do runtime C++ scripts. I wrote a small test program (its really just kinda thrown together and hacky): Main.cpp: #include <stdlib.h> #include <iostream>

问题 Here is the situation: in my scenario I have, 3 computers, A, B and C. Computer A sends data to computer B. Computer B captures these packets with pcap, appends the headers, redoes the checksums, and injects it out another ethernet interface to computer C. So basically A sends to C, though through C's point of view, the data is coming from computer B. My problem is this: following TCPDUMP's tutorial on dissecting a captured packet, I've learned to calculate offsets and using typecasting to

问题 I am developing a RESTful API in scala that sends SPARQL-queries to a triplestore. I read an article about the threat of SPARQL-injections when user defined params (URL params in a HTTP get request) are directly put in the SPARQL (e.g. in a fulltext search). I saw some Jena specific solutions (using its Java API) that are not useful for me. Is there some kind of standard regex search and replace pattern to escape malicious characters in a string that should be integrated in a SPARQL-query?

问题 I have a spring 2.5 webapp with the following web.xml <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <display-name>Spring BlazeDS Integration Samples</display-name> <context-param> <param-name>webAppRootKey</param-name> <param-value>ServerBlaze</param-value> </context-param> <context

问题 I've read various sources but I'm unsure how to implement them into my code. I was wondering if somebody could give me a quick hand with it? Once I've been shown how to do it once in my code I'll be able to pick it up I think! This is from an AJAX autocomplete I found on the net, although I saw something to do with it being vulnerable to SQL Injection due to the '%$queryString%' or something? Any help really appreciated! if ( isset( $_POST['queryString'] ) ) { $queryString = $_POST[

问题 I've read various sources but I'm unsure how to implement them into my code. I was wondering if somebody could give me a quick hand with it? Once I've been shown how to do it once in my code I'll be able to pick it up I think! This is from an AJAX autocomplete I found on the net, although I saw something to do with it being vulnerable to SQL Injection due to the '%$queryString%' or something? Any help really appreciated! if ( isset( $_POST['queryString'] ) ) { $queryString = $_POST[

问题 So I have a project with work to try and teach my boss to start using prepared SQL statements, but he could care less and says it's not a big deal. I want to know how to prove to him it is a big deal, but I just can't figure out how to inject a drop table command on the development test server we have set up. I developed an application for a company that is in its testing phase and I want to take it down (have back up) to present to him the issue, as I am using his SQL code. I am trying to