security « Development « HTML CSS Q&A

8. Why is there a symlink frow www/ to public_html/ in Bluehost by default?    stackoverflow.com

My internet sites are at the folder

public_html

9. Can an Apache-served pure-HTML website be hacked?    stackoverflow.com

Assume you are running a pure-HTML website on Apache. Just serving static files, nothing dynamic, nothing fancy. Also assume all passwords are safe, and no social-hacking (i.e. phishing attacks, etc...) Can a website ...

10. Techniques for securing a pure HTML site    stackoverflow.com

I have been tasked with securing a pure HTML website for someone, and I'm not entirely sure how to approach the problem. Here are the constraints:

1. All logins must link in ...

11. Work around for the same origin policy problem    stackoverflow.com

I have a problem where I have a frameset consisting of a parent frame loaded from one domain and a contained frame from a different domain. The contained domain also sets ...

12. Cleaning all inline events from HTML tags    stackoverflow.com

For HTML input, I want to neutralize all HTML elements that have inline js (onclick="..", onmouseout=".." etc). I am thinking, isn't it enough to encode the following chars? =,(,) So onclick="location.href='ggg.com'"

13. how to manage security with user added external css (like myspace)    stackoverflow.com

I've got a page which it has been requested I allow some user customization via CSS. I'm happy to do this, but am trying to figure out how to make it ...

14. What is your opinion on uploading HTML?    stackoverflow.com

I am building a control in .net 2.0 to allow users to write HTML into a textarea and then upload it. .NET won't allow them to upload it unless I set ...

15. Is it safe to allow users to edit css?    stackoverflow.com

I have a web application where I would like to allow end users to customise the look of the web site by uploading their own css file. Are there any security issues ...

16. I'm finding rogue code included in my HTML page head -- how did it get there and how do I stop it?    stackoverflow.com

My major weakness is securing my sites -- I know, a bad weakness. I have a site now that when I view the source in Firebug, I'm seeing all kinds of scripts ...

17. Password protect a simple web site    stackoverflow.com

I've got an HTML-only website (with a bit of inconsequential javascript). The static pages are generated from a photo-blogging program that I created. There are hundreds of pages and ...

18. How to control access to third party HTML pages    stackoverflow.com

We have a Learning Management System (LMS) that runs on its own server (IIS/Server 2003). Students must login with Forms authentication to gain access to the content. We want ...

19. How to restrict user access the file on the HTTP Server?    stackoverflow.com

I'm writing a web application that allow user upload their files on the app. The file will be uploaded on the HTTP Server, after the user click the "upload" button. The ...

20. Security Concern about hidden from field    stackoverflow.com

I want to check the user whether they have sign in or not, so I assign a hidden from field to store the session key, and I have a post method ...

21. What in an HTML page is unique?    stackoverflow.com

My question is about verification more than anything else. What can be used to determine what is unique in an HTML document? (The document can have a degree of being dynamic.) What ...

22. Is using GET with a tokenID for security a good idea?    stackoverflow.com

I was thinking about this and it appears POST only a little less vulnerable and somewhat harder (do to requiring the user to click something). I read about token ids and ...

23. Win32: HtmlHelp doesn't work from a network share. What's the alternative?    stackoverflow.com

Since 2005, when Microsoft prevented HtmlHelp functioning off a network share, e.g.:

\\appserver\tos\PointScanner.exe
\\appserver\tos\PointScanner.chm

24. How to detect hidden field tampering?    stackoverflow.com

On a form of my web app, I've got a hidden field that I need to protect from tampering for security reasons. I'm trying to come up with a solution ...

25. What are the downside of not having an index.html file to some directories    stackoverflow.com

I'm curious what are some effects/downside of not putting an index.html file to your directories (e.g images). I know when an index file is not present to a directory, files inside ...

26. best way to switch between secure and unsecure connection without bugging the user    stackoverflow.com

The problem I am trying to tackle is simple. I have two pages - the first is a registration page, I take in a few fields from the user, once ...

27. Minimum requirements for escaping HTML output    stackoverflow.com

What are the characters that are required and suffice when escaping user-generated content before output? (in other words: what are the characters web developers should escape when outputting text that previously ...

28. Question about POST method security    stackoverflow.com

Let say I have a post from like this:

<form action="myApp/form_action.asp" method="post">
  First name: <input type="text" name="fname" /><br />
  Last name: <input type="text" name="lname" /><br />
  <input type="submit" value="Submit" ...

29. style considered harmful?    stackoverflow.com

We have some code that removes "dangerous" attributes and tags from HTML. I noticed that style is among the list of "dangerous" attributes. What could be the risk from ...

30. Html Browser: best practice to pass user SID to server-side    stackoverflow.com

Legacy application (win32 clients + centralized db) has 40+ installations in a company & lacks the ability to be extended by plugins. Legacy authentication system relies on computer name, user name ...

31. Are there spam concerns when using the address tag?    stackoverflow.com

I know that spam bots scour web sites and harvest emails, however I wasn't sure about the extent of information that they search for (for instance, names, physical addresses, phone numbers, ...

32. SSL insecure objects    stackoverflow.com

On my page https://ol-shop.at/index.php?route=account/login it seems to be that there are insecure objects. Could someone please help me, taking a look on the source code. I don't know which ...

33. HTML Comments Extracter    stackoverflow.com

I am well aware that parsing HTML with regex has its many caveats and vociferous opponents. So rather than trying to re-invent the wheel, I'm looking for a tool that I ...

34. Why should primary keys of DB not be shown in html code, e.g. in select fields?    stackoverflow.com

anywhere I read that values in select boxes (or anything else in the html code) should not be the primary key of the database table. For example:

<select>
     ...

35. A question about a CSS browser attack    stackoverflow.com

I have been reading this - http://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html I do not understand it completely. The PoC displays an alert to the user. How does this help an attacker? From trying to understand ...

36. securely accepting html in mysql    stackoverflow.com

I allow some HTML tags to be used in my form. How can ensure my database (mysql) is safe, when using php to insert this data into it?

37. Is there an equivalent for html_encode in freemarker?    stackoverflow.com

I'd like to prevent potential issues with xss in my freemarker templates. Is there an filter that can be run in the template code that can sanitize the parameters the template ...

38. What are the best measures to protect content from being crawled?    stackoverflow.com

I've been crawling a lot of websites for content recently and am surprised how no site so far was able to put up much resistance. Ideally the site I'm working on ...

39. postaudit a HTML file    stackoverflow.com

I have a generated HTML file, and I want to audit it, before uploading it to a website (a script does it, in every hour) I want to audit for things like ...

40. To captcha or not to captcha    stackoverflow.com

I would like to know what do you think about adding captcha mechanisms to registration forms? I notice that many sites don't use captcha mechanisms in their registration forms(examples: http://djdesignerlab.com/2010/04/14/25-cool-sign-up-and-login-form-designs/). ...

41. How to change clients' site dynamically?    stackoverflow.com

So, going from the discussion here where I was soundly rebuked and for good reason. I want to give clients unique code snip-its that allow me to change a banner ...

42. What are the minimum file and folder permissions under the public_html directory of a website?    stackoverflow.com

Although I've come across specific case related answers to this question I have not come across a general guide to the uninitiated on the subject. Basically when you upload yourwebsite to ...

43. Is there a security threat if I enable a user to add CSS?    stackoverflow.com

Is it not secure to enable user to add his own rules of CSS to his personal page, in (for example) a social website ?

44. User-defined CSS: What can go wrong?    stackoverflow.com

So, for a new community site I am working on, we are considering allowing the users to write their own CSS. Perhaps with a text area in their profile page. Then ...

45. .Net Active-X on HTML page: Can't get MAC address    stackoverflow.com

I try to get mac address from active-x that is placed onto HTML web page

 [PermissionSet(System.Security.Permissions.SecurityAction.Assert, Unrestricted = true)]
 public string GetMacAddress()
 {
     var nic = NetworkInterface.GetAllNetworkInterfaces()
 ...

46. User Uploaded CSS safe?    stackoverflow.com

Is there anything tricky someone could do with user-uploaded CSS to harm a site? If I wanted to allow users to upload/share their own CSS themes to a site, is there ...

47. BB Code versus restricted HTML    stackoverflow.com

Are there any security risks in allowing(whitelist only) pure markup tags such as a, b, i, etc in post submission? BB code seems like a heavy solution to the problem of injecting ...

48. What user account info should you encrypt and what to encode and what to leave as is?    stackoverflow.com

When you deal with account info, how secure should each data item be? I'm going to do three categories and list items under them, please tell me if I'm right/wrong: encrypt: password encode: email, address, paypal, secret_answer, leave as is: everything ...

49. How do you protect data that you don't want to hash?    stackoverflow.com

Ok I'm a newb at this. So plz correct me if any of my assumptions are off. When you hash something like with sha1, you can't reverse the hashed data to get the ...

50. What is the Security risk behind allowing a user to upload an HTML file to a Web Server?    stackoverflow.com

Is there any security risk in allowing a user to upload an HTML file to our webserver? Here are a few items to consider:

• Only the user can access their html files
• The file ...

51. Basic HTTP Authentication: User or Application?    stackoverflow.com

Should be a simple answer to my question, but on the web I seem to get conflicting information. Lets assume I have a simple API using Basic HTTP Authentication. A Mobile App ...

52. SSL site, but has warnings    stackoverflow.com

I'm trying to secure a site with SSL. SSL is installed, but when I visit the site, I get this from Chrome:

Your connection to domain.com is encrypted with 256-bit encryption. However, ...

53. PDO security and html special chars?    stackoverflow.com

Does PDO by default use html special chars? Or even better can I turn it on or off using php, I cannot find any documentation on whether this is possible or ...

54. Safari is more forgiving locally than remotely with malformed HTML. Why?    stackoverflow.com

I ran into a curious issue today. We have a web page that hides the body via CSS and then there's a bit of JavaScript that sets the body to display: ...

55. Prevent spam using Honey Pots    stackoverflow.com

I am really curious about how to prevent comment spam in a forum using a honey pot trap for spam bots. The thing that confuses me is the CSS (I am ...