I'm currently editing an existing web application where I need to improve the codes to protect it from XSS attacks, I researched about it, but most of the articles I saw was for raw HTML and also they don't give a lot of example. I was thinking that I may just need to use some anti-xss libraries, but I'm not sure I'm fairly new to Angular JS so I would like to get some insights first before changing anything
Here are some of the code lines that are said to be unsafe.
Here are sample code snippets of the first 3.
Line 1663:
Line 1686:
Line 1836:
I haven't found an article specific to my case, but the link bellow gives an idea on how to remediate this on a basic level.
https://vitalflux.com/angular-top-10-security-best-practices-vis-vis-security-risks/
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I need to implement the following feature: whenever somebody comes to the site, he sees the login form and if he didn't logon correctly, any other url should show him login form.
how can I do this?
I have the project I inherited and only starting in Angular, so I have no idea where do I change the first page I show and how do I block unauthorized users from accessing other urls
To keep the explanation as basic as possible angular works in the main index.html file by using "controllers" to explain to the client browser what to do. Somewhere in your folder hierarchy should be a folder named "partials" , "templates" , "views" ,or something similar. It should contain a bunch of small .html files. Those files are swapped using AJAX embedded into angular. There should be an html element tag that contains an attribute "ng-app= "whateverYourAppsNameIsHere" within the opening element tag, anything in between this tag is "angular."
Angular seems complex at first, but once you keep at it it gets much easier. Everything within the ng-app attribute is powered in your JS files, and there's some really good free resources out there, including codeschool which has one, and angular. Google, hosts their own "phonecat app" which explains all the basics in pretty good detail in a walk-through tutorial with code snippets provided for when you can't quite figure it out. Make sure you use this link though [Google:Angular - Go to "tutorial"] (https://angularjs.org/) There is currently an Angular 2.0, which is written in TypeScript(short hand JS) found at FYI Only: Make sure you're not on this domain Know this exists in the event you start liking TypeScript, but I'd recommend sticking with plain angular until you're comfortable with it.
Okay, so that's a brief splash of what's what to find your files, and hopefully help you grasp any answers a bit better. At the very least those are 2 really good resources to start learning Angular from.
For your direct question "How do you manage users being logged in, or sending them to a page." There are many ways to perform that task, so I'll give you guidance on how to best learn it in my opinion. 1) Review "ng-if" which you can use to display/not display a page section (or as you asked re-route to a login form if not verified) People typically seem to use a "router" for Angular, Angular-UI is a fairly well recognized one and you can find it here: npm angular-ui-router. You can also verify someone on the back end when they call out to the server for page updates.
So I know I didn't directly answer your question, but the links I sent you will more than answer your question and also give you some guidance where to start learning/looking for resources from. If you're not yet familiar, I would recommend building/maintaining your app in Yeoman if you have not done so already. Yeoman and [Yeoman - tutorial] (https://www.youtube.com/watch?v=gKiaLSJW5xI) <-- This guy is AMAZING for tutorials, and he's very reassuring when you're scratching your head feeling overwhelmed with coding things.
Hope it helps, that's 3 years worth of resources touted out in 1 question response. Happy Coding! ;)
The question says it all really. If you are writing a WPF application, how are you integrating the application help? What is the state of play in mid-2013?
It seems that there is no clear answer to this from an afternoon with a search engine, but several options:
Write your own fancy tooltip based help (but where are you getting your data from?)
Use .CHM files and the Windows Forms help system (seems archaic to me).
Use Microsoft Help Viewer 1.X or Microsoft Help 2.0.
There is some confusion as to which is more recent / approved of by MS. It appear Help Viewer 1.X might be the recommended option over Microsoft Help 2.0. It doesn't help that the names are so similar...
What is the status of 2.0? Should we use it? Was it ever fully deployed?
Use a third-party product to author your help files and link to them somehow - DocToHelp/NetHelp, NetAdvantage on-line help, etc...
Furthermore, what XAML based mark-up / attributes are you using to provide the necessary context? What is the recommended method?
It seems surprising there is no clear path for supporting application based help in WPF.
My current preference is to use a third party help authorizing system to generate HTML based help.
We then use a WebBrowser to display this help as needed. The authoring system we use makes it fairly easy to extract out a single page from the main help (each "topic" is a single HTML file, and can be included with full contents or not as desired).
Granted, this definitely felt like a bit of a nasty hack at first - but once we wrote the basic plumbing (some attached properties for xaml to specify attributes for context location and add behavior to trigger help, etc), it's fairly clean.
One very nice advantage to this approach, however, is a single help system build works perfectly in all contexts - we can include the documentation online, expose it locally for use in a browser, and use it with context from within our application directly.
In my search for a good social login package for App Engine, I am giving gae-boilerplate a try. But I find there is no documentation except the readme file, which I think it is not enough at all.
I have many questions, among them:
Should the boilerplate be used as a library or download and modify as needed?
How should the boilerplate be updated?
What does each model do?
Where should my templates go?
Should I have a different routes file?
Should I derive my Handlers from BaseHandler?
In general, what things should I implement in my pages? For example, I found out that I have to include a csrf_token in all POST requests. It would have been nice to know this in advance, and the many other things that I'm having to find out along the way, and which I implement without being sure if I'm supposed to be doing that.
And some more...
My biggest problem is that Social login is not working, and I feel this boilerplate is a big monster with which I don't know where to start. To make things worse, it is hard to debug social auth from any machine that is not the production one. Thats why I'm desperately looking for some docs.
I have not found anything in SO, and I guess there must be more people in my situation. So, any pointers to documentation that could help to understand gae-boilerplate a little bit better would be very appreciated.
EDIT: I switched to gae-boilerplate in a site that I had previously working. Maybe most of my problems come from the way that I have tried to integrate gae-boilerplate and my existing site. As a result I have tried to treat gae-boilerplate as a library, and keep my own templates, handlers, static files and such.
Thank you guys!
EDIT 2: After trying other options, I have to say that I am very happy with gae-simpleauth. It works really well, and Alex's support is superb.
I will try to answer most of your questions below:
Should the boilerplate be used as a library or download and modify as needed?
You can modify it as needed based on your specific requirements.
How should the boilerplate be updated?
What do you mean?
What does each model do?
User and SocialUser are pretty self explanatory. LogVisit and LogEmail are used for auditing purposes.
Where should my templates go?
In the templates directory
Should I have a different routes file?
No, you can use the existing file for all your routes.
Should I derive my Handlers from BaseHandler?
It't not mandatory but I would recommend to do so. BaseHandler is very handy and provides a lot of good stuff.
In general, what things should I implement in my pages?
What exactly do you mean?
In general, you can use gae-boilerplate as a reference on top of which you will built your own project. Study the code step by step, try to figure out what is the purpose of each file and library used and how they work together. This way you will gain good knowledge of a lot of things like jinja templating, oauth2, etc.
Hope this helps.
I have a problem using the their latest WPL v 4.2.1. The stripping of suspect HTML, javsacript and styling is so aggressive it strips out ALL the CSS.
I understand that CSS can be easily used to inject malicious javascript using URL references, but this also means im losing all the innocent styling that makes my content look readable. The last thing i want displayed on my aspx pages is boring 'plain' text.
My question: Is there another library on the market/the web which I can use which will not strip off my styling elements completely? By that i mean selectively removing only the possibly malicious attributes within the CSS.
I have tried searching but without much luck. If anybody knows of one, could you post the answer here please? I know the current source code can be modified but I'd really like to use an available project if there is one as i'm not very knowledgeable with cross site scripting.
Thanks a ton!
I'm creating a mobile version of a website using jQuery mobile, but have found the vast majority of the built in functionality is broken.
The problem arises from my URLs, they look like this:
http://www.mysite.com/testurl/(S(3wlciqrhccimwx133y2sivxb))/Home/Logon.aspx
^^^
The bit in brackets is different for each session.
Any use of the back button, or ajax page loading causes this error:
Uncaught Syntax error, unrecognized expression: data-url='/testurl/(S(0f2xpaxk5131rsm1rkmantws])/Home/Index.aspx')
I really, really need help with this, I've bodged my way around most of the problems, but if I could just get the core functionality to work, my life would be a lot easier.
Cheers!
Following on from Alex K's advice, here's edited the edited jquerymobile.js file that allows brackets in the urls - hope it helps someone else:
http://jsfiddle.net/bazzlad/bWUsa/