Is it XSS safe to allow clients to submit jQuery selectors?
I would run a selector string submitted potentially by trolls and put it into $('') to select elements on the page.
Client submitted jQuery selectors, is it safe?
213 Views Asked by Harry At
1
There are 1 best solutions below
Related Questions in JAVASCRIPT
- Using Puppeteer to scrape a public API only when the data changes
- inline SVG text (js)
- An array of images and a for loop display the buttons. How to assign each button to open its own block by name?
- Storing the preferred font-size in localStorage
- Simple movie API request not showing up in the console log
- Authenticate Flask rest API
- Deploying sveltekit app with gunjs on vercel throws cannot find module './lib/text-encoding'
- How to request administrator rights?
- mp4 embedded videos within github pages website not loading
- Scrimba tutorial was working, suddenly stopped even trying the default
- In Datatables, start value resets to 0, when column sorting
- How do I link two models in mongoose?
- parameter values only being sent to certain columns in google sheet?
- Run main several times of wasm in browser
- Variable inside a Variable, not updating
Related Questions in JQUERY
- In Datatables, start value resets to 0, when column sorting
- Bootstrap modal not showing at the desired position on a web page when the screen size is smaller
- window.location.href redirects but is causing problems on the webpage
- Using JQuery Date Slider
- Storing selected language in localStorage
- How to stop other divs from still showing when i click a different button?
- Check multiple values with jQuery
- Bootstrap component does not want to render in Datatables function
- put white spaces when entering an amount moneytype symfony
- Trouble accessing custom header in AJAX response using jQuery in Fiware Keyrock
- I just cant make it work, HTML, JS and Firebase error
- Didn't declared variable still not getting any error in JavaScript
- Move element horizontally while scrolling vertically in pure JavaScript
- allow multi carousel in same page
- Embedded TikTok posts / thumbnail styling issue
Related Questions in SECURITY
- HTTPS configuration in Spring Boot, server returning timeout
- HSM ZKA control mask values
- OWASP Amass Subcommands
- Is there a need for BPF Linux namespace?
- Error when trying to execute a binary compiled in a Kali Linux machine on an Ubuntu system
- When sanitize/encode while implementing tags system like on SO
- spring security version in spring-boot-starter-security
- I am currently trying to implement a rudimentary firewall from a video I watched but the nimda worm detection is not working and i do not know why?
- Is it possible for `sudo` to fail temporarily with the correct password? Hacking suspected
- Is it viable proxying all my mobile apps requests, to some kind knowing that a request is coming from a secure source
- What abilities should I concentrate on while bug hunting, and how can I improve the quality of my bug bounty reports?
- System.ArgumentOutOfRangeException: I passed this error in every single program
- How to prevent users from creating custom client apps?
- Does server-side content security policy exist for youtube video player API, app, mod apks and website?
- Can we pass a hostname/IP address as a query string in a GET request in REST API
Related Questions in XSS
- How to sanitise request body in spring boot if some attributes contain these values
- Using Content Security Policy to prevent XSS with HTML object/data tag
- Checkmarx DOM XSS Vulnerability flagging JS/jQuery code
- Prevent XSS attack on an application made using outsystems, preventing file upload which has hidden javascript code
- How to fix checkmarx reflected XSS attack in JSP page?
- how to prevent url custom parameters xss attack in WordPress
- XSS scan with python and selenium
- i'm trying to sanitize but it doesn't work
- XSS attack on location map
- How to create "unsafe" environment for JavaScript XSS testing
- Is there still an XSS bug in JQuery1.12.4 when I upgrade my JQuery framework from 1.7.2 to 1.12.4?
- Is it safe to store TwitterAPI access tokens in Session variables?
- Sanitize injected CSS to prevent XSS
- Is this POC a real XSS vulnerability?
- How to preserve rich text formatting in contentNote after escaping HTML characters to prevent XSS attack in salesforce
Related Questions in JQUERY-1.8
- cannot get value from $_post
- Client submitted jQuery selectors, is it safe?
- copy / clone script tag with jquery
- keyup and keydown are not synchronized?
- Jquery range slider with manual input
- undefined value working in jquery 1.8.3 but not in 1.9.1
- Refresh currently selected tab on Ajax success
- jquery 1.8.2 autocomplete + .live() + .create() , not working together
- Upgrade jQuery 1.7.3 to 1.8.0+ Syntax error [data-role]=page] (in combination with jQuery Mobile)
- Jquery.clean method documented?
- jQuery 1.8 in IE 11 does not fire image load event on page load
- JavaScript runtime error: Could not complete the operation due to error 80020101
- Avoid resize event to be fired on page load in Chrome
- Find last child with jquery
- jQuery 1.8.2 - how do I grab an option from a select with only the text?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Ref: https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute
Most of the time, ids are letters and digits, with hyphens or underscores. This code requires that the first character of the id is a letter, followed by more letters, numbers, underscores and dashes.
If you are willing to limit the accessible element ids in that way, you may use the following validation scheme to prevent XSS.
JavaScript (would run on the server)
PHP
This limits entry to simple ids, and it is implied you would add the # into the selector. If you are willing to allow more complex selectors, you can update the validation.