Cross-Domain Scripting in OC4J

Similar Messages

• Xml Socket  policy to connect to a range of IPS cross domain scripting

  Dear,
  I have a problem with connecting to other servers rather the
  one who has served the swf file.
  i was facing the problem even on the same machine , so i have
  provided the policy file , to be served before opening the
  connection, and it works, but still in IE6 i was just skiping the
  requset-policy-file that is sent by the movie and it works, rather
  the other browsers didn't like this way. At that time i have
  written the code to check for the header , and send back the policy
  file.
  the policy file that i am using is the following:
  PolicyFile = @"<?xml
  version=""1.0""?><cross-domain-policy><allow-access-from
  domain=""192.168.1.100"" to-ports=""843""
  /><allow-access-from domain=""192.168.1.101""
  to-ports=""843"" /></cross-domain-policy>";
  My hope is to be able to connect to 192.168.1.101:843 , and
  my server web is the other ip .
  Best regerds

  Hi, go to
  Flash Resources , you can
  find a java application that can serve policy files to resolve this
  problem.

• Cross domain scripting: error #2048

  Hi,
  This is my first entry in this forum but I already found a lot of answers by browsing it. However, altough many references seem to solve the problem I'm hurting on, it doesn't seem to work for me...
  Now, here's the case:
  I made a flash web site that will be hosted on an external web server (let's call it server «www.external.com»).
  My flash needs to get some info from my internal server (let's call it «www.internal.com»).
  On «www.internal.com», I don't have access to the root, only to the folder «myfolder» so my website reads like this: «www.internal.com/myfolder».
  Being aware of some sandbox security issues, I made a crossdomain.xml file and uploaded it to «www.internal.com/myfolder/crossdomain.xml» to provide acces to «www.internal.com/myfolder» from «www.external.com» wich is the following:
  <?xml version="1.0"?>
  <cross-domain-policy>
       <allow-access-from domain="www.external.com" />
       <allow-http-request-headers-from domain="www.external.com" headers="*"/>
  </cross-domain-policy>
  In my flash, there is the code i use to retrieve my info:
  Security.loadPolicyFile("http://www.internal.com/myfolder/crossdomain.xml");
  var myData:URLRequest = new URLRequest("http://www.internal.com/myfolder/myapp/datarequest.cfm");
  var loader:URLLoader = new URLLoader();
  loader.load(myData);
  That's where I get the raging error #2048 in an error #2044 telling me this (excuse the french, my player and I use this language):
  Error #2044: securityError non pris en charge : text=Error #2048: Violation de la sécurité Sandbox : http://www.external.com/flashapp.swf ne peut pas charger de données à partir de http://www.internal.com/myfolder/myapp/datarequest.cfm.
  According to what I saw and read, loading a policy file should allow me to access info. Once I read that the crossdomain.xml file absolutely had to be on the root of the web server, unfortunately, I don't have access to the root.
  There surely is something wrong with what I am doing, anyone has a thought?
  Thanks in advance and sorry for the long message...

  just a guess here - it looks mainly as though you are on the right track, and you are correct if you so not have access to the root, then you must target the crossdomain.xml location as you have specified.
  the one thing i don't see that you have listed here is a call to:
  Security.allowDomain("www.external.com");
  which *might* be the issue

• Cross domain scripting at run time using local connection flash AS2

  Hi
       I want to do live video streaming using FMS and FMLE in Flash As2. Suppose 100 users watching video online and I want to show message to  all 100 users using the Local connection.
  If I am sending message using different browser in same pc then I can get the message which was send from another swf file but I am checking from another pc then message not coming in receiver swf file.
  Please find the code below. 
  receievemovie.swf
  // Code in the receiving SWF file
  this.createTextField("result_txt", 1, 10, 10, 100, 22);
  System.security.allowDomain("*")
  System.security.allowInsecureDomain("*")
  var my_lc:LocalConnection = new LocalConnection();
  my_lc.allowDomain = function(sendingDomain:String) {
  domain_txt.text = sendingDomain;
  return true;
  my_lc.allowDomain = function(sendingDomain:String) {
  return (sendingDomain == "*");
  my_lc.allowInsecureDomain = function(sendingDomain:String) {
  return (sendingDomain == "*");
  my_lc.methodToExecute = function(param1:String) {
      result_txt.text = param1
  myResult.text=param1
  my_lc.connect("lc_name");
  sendmovie.swf
  System.security.allowDomain("*")
  System.security.allowInsecureDomain("*")
  var sending_lc:LocalConnection;
  var sending_lc:LocalConnection = new LocalConnection();
  sending_lc.allowDomain = function(sendingDomain:String) {
  return (sendingDomain == "*");
  sending_lc.allowInsecureDomain = function(sendingDomain:String) {
  return (sendingDomain == "*");
  myButton.onRelease = function(){
  sending_lc = new LocalConnection();
  sending_lc.send("lc_name", "methodToExecute", sendMsg.text);
  sendMsg.text="Message has been sent"
  If you have any other way to do it please suggest me to do that.
  Thanks & regards
  Sunil Kumar

  Hi, go to
  Flash Resources , you can
  find a java application that can serve policy files to resolve this
  problem.

• Cross-domain service script

  I am working on a site which is utilizing some plug-ins from a another company. An item this other company is providing is a link to an XML file which is generated/updated daily. The owner of the site I am working on wants to have the information within this file visible on his home page in a side bar. If I save the XML file within his site and create the Spry data set, everything works beautifully, but if I create the data set linking to the XML file url, it doesn't work. Because this is information updated daily, I do not want to have to go into this site, save a new XML file and upload it daily. Within the Spry Framework Help in Dreamweaver, I found this:
  "The URL you decide to use (whether absolute or relative) is subject to the browser’s security model, which means that you can only load data from an XML source that is on the same server domain as the HTML page you’re linking from. You can avoid this limitation by providing a cross-domain service script. For more information, consult your server administrator."
  I contacted the other company about this cross-domain service script, but they didn't seem to have a solution. I have no idea where to begin or what to do to resolve this. Any suggestions are most appreciated.
  Thanks,
  A

  crossdomain script might be wrong term for your solution here. What 
  you basically need a script on your server, that does request to the 
  crossdomain server. This script will get / read / your required xml 
  file and just prints its contents with the correct header. These 
  scripts are also known as proxy scripts. For example a script like 
  this: http://www.phpfour.com/blog/2008/03/cross-domain-ajax-using-php/
  hopes this helps.

• Cross-frame scripting is not working in Safari 3.0.4. Minimal example code.

  Hello,
  I've found that cross-frame scripting is not working in Safari 3.0.4, as it worked
  ok on Safari 3.0.1, and in other browsers I tried: Firefox, Mozilla, IE.
  document.domain property is set to "ds2ps.net", correctly to the best of my knowledge
  in the frameset and in both frames. Both frames and frameset are loaded
  from subdomains of the same domain "ds2ps.net"
  Please have a look at this mimimal example:
  http://frameset.ds2ps.net/frames-test/frameset.html
  Press buttons to get alert with value of a variable defined in the frameset
  and in the first frame.
  This gives "undefined" in Safari 3.0.4, and give following message in Safari
  JavaScript console:
  Unsafe JavaScript attempt to access frame with URL http://frameset.ds2ps.net/frames-test/frameset.html from frame with URL http://frame2.ds2ps.net/frames-test/frame2.html. Domains, protocols and ports must match.
  Works ok in all other browsers and in earlier versions of Safari.
  Apperently, I'm doing something incorrectly.
  I would appreciate if Apple Safari developers have a look at this problem and suggest solution.
  My company is developing web application which depends on cross-frame scripting,
  and we would like to continue supporting Safari browser.
  Thank you,
  John

  Thank you, iBod,
  We've submitted this bug at http://bugs.webkit.org
  Bug 16444: Cross-frame scripting not working in Safari 3.0.4 despite proper document.domain set in all frames
  Thank you for your suggestion!

• Cross Domain Trust Error, while opening the infopath in sharepoint list.

  Dear All,
  Facing some issue in
  Environement:
  Windows = Windows Server 2008
  Shareppoint = Sharepoint Server 2013.
  Project Server = Project Server 2013
  Info Path = Info Path Designer 2013
  Detailed:
  I have sharepoint environment with Project Server,I which have created task list in my project site and then i customize that form using info path their is one column named: "Product Name" in my task list which is drop down menu in that menu
  i want to show all the project name which are created in PWA Site. For that i made the External data connection to my sql server and select my desired table from that and also configured the my column data "i:e; Product Name. And published it to the my
  site. Now when i opened that form it prompts the error
  "The form cannot be submitted because this action would violate cross-domain restrictions. 
  If this form template is published to a SharePoint document library, cross-domain access for user form templates must be enabled
  under InfoPath Forms Services in SharePoint Central Administration, and the data connection settings must be stored in a UDC file in a data connection library in the same site collection. 
  If this is an administrator-approved form template, the security level of the form must be set to full trust, or the data connection
  settings must be stored in a UDC file by using the Manage data connection files option under InfoPath Forms Services in SharePoint Central Administration ."
  Oopsss !!
  Now start googling it found couple of solution shared listed below:
  1. Enable the cross domain authenticated in Central Admin –> General Application Settings –> Configure InfoPath Form Services (Done)
  2. Now Created the data connection library in my site collection which is PWA Site after that i went to the infopath and creating the data connection and
  Convert to Connection File and enter the URL of the data connection library
  and its prompt the error " the specified url is not a data connection library and enter the correct filename" didnt remember the exact error description at the moment.
  So, that was all stuff, Kindly suggest me any step which i missed that or ay solution that resolve my this issue.
  Thanks
  REGARDS DANISH DANIE

  it seems the data-seed failed in your dehydration store.
  so i would check if user orabple exsits in your db (pw is orabpel) .. and recreate the schema by executing the following script (based on your db)
  orabpel\system\database\scripts\domain_oracle.ddl
  hth clemens

• Load XML file from addon domain without cross-domain Policy file

  Hello.
  Assuming that there are two addon domains on the same server: /public_html/domain1.com       and      /public_html/domain2.com
  I try to load XML file from domain2.com into domain1.com without using cross-domain policy file (since it doesn’t work on xml files in my case).
  So the idea is to use php file in order to load XML and read it back to flash.
  I’ve found an interesting scripts that seems to do the job but unfortunately I can't get it to work. In my opinion there is somewhere problem with AS3 part. Please take a look.
  Here are the AS3/PHP scripts:
  AS3 (.swf in www.domain1.com):
  // location of the xml that you would like to load, full http address
  var xmlLoc:String = "http://www.domain2.com/MyFile.xml";
  // location of the php xml grabber file, in relation to the .swf
  var phpLoc:String = "loadXML.php";
  var xml:XML;
  var loader:URLLoader = new URLLoader();
  var request:URLRequest = new URLRequest(phpLoc+"?location="+escape(xmlLoc) );
  loader.addEventListener(Event.COMPLETE, onXMLLoaded);
  loader.addEventListener(IOErrorEvent.IO_ERROR, onIOErrorHandler);
  loader.load(request);
  function onIOErrorHandler(e:IOErrorEvent):void {
      trace("There was an error with the xml file "+e);
  function onXMLLoaded(e:Event):void {
      trace("the rss feed has been loaded");
      xml = new XML(loader.data);
      // set to string, since it is passed back from php as an object
      xml = XML(xml.toString());
      xml_txt.text = xml;
  PHP (loadXML.php in www.domain1.com):
  <?php
  header("Content-type: text/xml");
  $location = "";
  if(isset($_GET["location"])) {
      $location = $_GET["location"];
      $location = urldecode($location);
  $xml_string = getData($location);
  // pass the url encoded vars back to Flash
  echo $xml_string;
  //cURLs a URL and returns it
  function getData($query) {
      // create curl resource
      $ch = curl_init();
      // cURL url
      curl_setopt($ch, CURLOPT_URL, $query);
      //Set some necessary params for using CURL
      curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
     //Execute the curl function, and decode the returned JSON data
      $result = curl_exec($ch);
      return $result;
      // close curl resource to free up system resources
      curl_close($ch);
  ?>

  I think you might be right about permissions/settings on the server for php. Unfortunately I'm not allowed to adjust them.
  So I wrote my own script - this time I used file path instead of http address of the XML file.  It works fine in my case.
  Here it is:
  XML file on domain2.com:
  <?xml version="1.0" encoding="UTF-8"?>
  <gallery>
      <image imagePath="galleries/gallery_1/images/1.jpg" thumbPath="galleries/gallery_1/thumbs/1.jpg" file_name= "1"> </image>
      <image imagePath="galleries/gallery_1/images/2.jpg" thumbPath="galleries/gallery_1/thumbs/2.jpg" file_name= "2"> </image>
      <image imagePath="galleries/gallery_1/images/3.jpg" thumbPath="galleries/gallery_1/thumbs/3.jpg" file_name= "3"> </image>
  </gallery>
  swf  on domain1.com:
  var imagesXML:XML;
  var variables:URLVariables = new URLVariables();
  var varURL:URLRequest = new URLRequest("MyPHPfile.php");
  varURL.method = URLRequestMethod.POST;
  varURL.data = variables;
  var MyLoader:URLLoader = new URLLoader;
  MyLoader.dataFormat =URLLoaderDataFormat.VARIABLES;
  MyLoader.addEventListener(Event.COMPLETE, XMLDone);
  MyLoader.load(varURL);
  function XMLDone(event:Event):void {
      var imported_XML:Object = event.target.data.imported_XML;
      imagesXML = new XML(imported_XML);
     MyTextfield_1.text = imagesXML;
     MyTextfield_2.text = imagesXML.image[0].attribute("thumbPath");  // sample reference to attribute "thumbPath" of the first element
  php file on domain1.com:
  <?php
  $xml_file = simplexml_load_file('../../domain2.com/galleries/gallery_1/MyXMLfile.xml');  // directory to XML file on the same server
  $imported_XML = $xml_file->asXML();
  print "imported_XML=" . $imported_XML;
  ?>
  Regards
  PS: for those who read the above discussion: the first and the second script work but you must test which one is better in your situation. The first script will also work between two domains on different servers. No cross domain policy file needed.

• Cross Domain XML not working

  Greetings,
  I recently obtained two different domains that point to a subdirectory of another domain server. The swf file I created does not show up when I use the domains that are pointing to the subdirectory of the original domain.
  I placed an xml file into the root directory that contains the following code:
  <?xml version="1.0"?>
  <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
  <cross-domain-policy>
      <allow-access-from domain="*.newdomainname1.com"/>
      <allow-access-from domain="*.newdomainame2.com"/>
  </cross-domain-policy>
  Nothing shows up. Is there something else I need to do make this work? I created the swf file using CS3 - Action Script 2. I tried searching everywhere to see if I'm missing a step, but cannot find anything. Any help would be greatly appreciated.

  I'm still not entirely clear what the problem is.
  Those links to the other domain show 404 errors, which is related to how things are set up on your hosting server for those domains, and nothing to do with flash.
  Are you trying to get the swf at http://www.searecovery.com/ to load data from the other domains? (I can't see it trying to do that, so perhaps not)
  If so you need to add *.searecovery.com to the crossdomain files at the other domains.
  Crossdomain files give flash content (swfs) hosted at one domain access to load data (or grant access to the data of loaded assets) from another domain.
  So you need crossdomain permission if you want a swf hosted at www.danfoss-searecovery.com to load xml data from www.danfosssearecovery.com for example, or to get at the bitmapdata of jpgs loaded from www.danfosssearecovery.com.
  If you just want to host the swf at the other domain, and if it's not loading data from external domains, then you pretty much just need to move copies of the html and swf there along with any external assets it loads (so long as you have used relative urls for loaded assets from within the swf) . If that's what you're trying to do then the issue here is likely to be simply how your hosting environment is set up for the other domains.

• Cross domain policy file and BitmapData

  Hey guys and gals, I'm having an issue with a Security error
  when trying to access photos from an external site. I have a client
  who is at siteA.com, who wants to load in photos from siteB.com,
  siteC.com, and probably 100 other sites. He has permission to do so
  from the other sites, but doesn't want to go through all the
  trouble of asking each site to post a cross-domain policy file.
  Please correct me if I'm wrong, but the way I understand it is, if
  you want to simply load an image into a Loader object within a swf,
  you're ok, but if you want to access the BitmapData, you will then
  get a security error? My snippet of code that I believe is causing
  the security error is
  public function imageLoaded(e:Event):void {
  var image:Bitmap = Bitmap(e.target.loader.content);
  image.smoothing = true;
  imageContainer.addChild(e.target.loader);
  As you can tell, the reason why I want to access the Bitmap
  itself is to apply smoothing. That is my main concern, I want to be
  able to apply smooth transitions to these pictures that are loaded
  in from external sites. My main goal is to load images externally,
  then apply smooth transitions, so if you know of a way to get
  around the security violations, that would be great. The only
  work-around we have for this is to write a script that will load
  all the images from the external sites onto the local server, as
  this will be less work than getting the cross-domain policy file on
  each server (if that's what it takes). Thanks in advance for
  anybody who can shed some light on the subject.

  If I understand you correctly, a 'helper' swf would be on the
  site where the images are held, much like a cross-domain policy
  file? I don't understand how that would be much different than
  getting the external sites to add a cross-domain policy file on
  their server. It sounds easier to just throw the cross-domain
  policy file on the external site's server with '*' for the path of
  allowed directories to load images from. I'm pretty new to the
  cross-domain security issue, so I'm not sure. I don't understand
  why it's a security risk to access the pixels of an image either...
  anybody know about that? Just trying to figure out where to go from
  here on this project. Thanks for the reply GWD, still looking for
  some more feedback.

• Integrating Wordpress into Muse need dynamic height based on content with cross domain

  Since Muse doesn't currently support Blogs and Wordpress integration I have decided to use an iFrame.
  My goal is to have the height of the iframe dynamically change based on the content in my Wordpress blog. I understand this is a common issue with frames that are hosted on different domains.
  I am running into having to over compensate with a bunch of deadspace to allow enough room. Alternatively I get the horrible looking scroll bar.
  I have tried using cross site scripting, JQuery and postMessage but am having trouble figuring out how to put the proper code into Muse and Wordpress for them to communicate back and forth.
  Please, any help on this matter would be greatly appreciated.

  Abhishek,
  Thanks for your reply, however, it is not working with Muse. I added the Javascript to the head section and adjusted iframe and it displays as a small square in the upper left hand corner, unable to view the whole page.
  Inserted into head section --
  <script type="text/javascript">
     function resizeIframe(obj)
    obj.style.height = 0;
    obj.style.height = obj.contentWindow.document.body.scrollHeight + 'px';
     </script>
  inserted as an html object --
  <iframe name="MycoSmooth" src="http://www.mycosmooth.com" frameborder="0" scrolling="no" id="iframe" onload='javascript:resizeIframe(this);' />
  Below is the result:
  The purpose is to have an independent website run the blogging capabilities, since muse doesn't directly support blogging as of yet.
  Since the site is on a different domain, I am running into cross domain issues and it won't get the height of the page. The methods that apparently work use php and I am unsure how that would work in muse, if at all.

• Portal eventing in a cross domain system

  Hi,
  I have facing a problem in my project. We have both Java web dynpro iviews and ABAP iviews. The portal server is installed in the daomain <system>.blrl.sap.corp and the ABAP web dynpro applications are runnning in the Back End server which is there int eh domain <system>.wdf.sap.corp.
  We use portal eventing to navigate from ABAP iviews to Java iviews. But from t he portsl server if i click any button(which supposed to take us to ABAP iview) it is not opeing the ABAP iview. But if a portal server running in the same domain, <system>.wdf.sap.corp, the iviews are opening correctly.
  Please let me know if you face this problem and the solution exists.
  Kind regards,
  Ramesh.

  Hi
  Currently you have two domains, wdf.sap.corp and blrl.sap.corp. You will not be able to use the portal eventing because this is classed as cross site scripting and is not allowed due to security restrictions of browsers. However, because the two URLs you mentioned are in the same sub-domain, sap.corp, then there is a work around. You will have to relax the domain of both servers. This is configurable in the portal (although I can't remember from the top of my head). The same would have to be done for the environment for the web dynpro applications.
  I hope this helps a little
  D

• Cross side scripting in Flex

  Hello,
  We are using flex 3.0 in our project with java1.5 and during our security testing (by a tool) we found that the Cross side scripting
  can be acheived in flex. We are able to inject java scripts inside parameter AMF.Message.0.null.flex.messaging.messages.CommandMessage.8.clientId , thanks to let us know how can we solve this
  issue and make our flex application out of this security issue.
  The following changes were applied to the original request:
  Injected '<script>alert(56180)</script>' into parameter 'AMF.Message.0.null.flex.messaging.messages.CommandMessage.8.clientId's value
  Set cookie 'JSESSIONID's value to '6A0BA588B3E2663A842C9A495CFC69F9'
  Set cookie 'MODCASID's value to 'XfUjTlYJ4atZwnmN2ziB88V1yYuvggHb9CKOIAFHy088F6ByRcAfLUfA8ZTAO0K89g7WHLhl9cgZHYN9wloSWunlhn mOKaWxBb0e1B6InG3tIKoUwXRhBUESdfGxGP3WIzGiPAmub0J8sTqgGH0LecYjTVJIGiVYaD13cENpMJngYk5n8UBG Y5dJpFfBYMO...(33 characters more)'
  Set cookie 'WT_ST_FPC=id's value to '243135f022bc4984bcc1346284111474:lv=1346284111474:ss=1346284111474'
  Set HTTP header to '6A0BA588B3E2663A842C9A495CFC69F9; MODCASID=XfUjTlYJ4atZwnmN2ziB88V1yYuvggHb9CKOIAFHy088F6ByRcAfLUfA8ZTAO0K89g7WHLhl9cgZHYN9 wloSWunlhnmOKaWxBb0e1B6InG3tIKoUwXRhBUESdfGxGP3WIzGiPAmub0J...(31 characters more)'
  New request and response
  POST /esample/messagebroker/amfsecure?a=1 HTTP/1.1
  Cookie: WT_ST_FPC=id=2cc27004653f1b51cbf1346285874746:lv=1346285874746:ss=1346285874746; MODCASID=MHAPkwaeif8fDqMKnnrjFad8J0rQYAVYUBiufXADkB4w0Zb1HAAF0LYAz3m7WD8cEWJ4E5An3FFDdoqV U58jYuOvh2W5HvIiGzDOAmtb7gLYUzcZbaFayFUX8qvHQB0068bVohDPBnHzFbR2LXpT9B0tdDYbCq30uDPuBc00pO 5Z92cJTaQFeigxOnj2D2PB5OqqrwHeHC5bq0glVBvUvMIYUiM5ipJAkPiQ0lblZlP809ln84NjSUHNP2McbFgC3Dsy 0RDmsc9AUuCBAiyBWJBLmzM08rDNNqm25a9BDsB3u81UheSJbZBCuHSmfyTCIykCnFErjFnJ5EqinmLyEjbVl3b04v ToKs9Xqf0kjr4ESYPIBkLpdWaCjUEAuD98EcfeLPYW8aZVBXx; JSESSIONID=8BEE6BEA5DD8D17D663DEFB2B3C56D0E
  Content-Length: 307
  Accept: */*
  Accept-Language: en-US
  Referer: https://XXX/YYY/html/swf/bin/abc.swf
  x-flash-version: 11,1,102,55
  Content-Type: application/x-amf
  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; MS-RTC LM 8)
  Host: qa-my.st.com
  Connection: Keep-Alive
  Cache-Control: no-cache
  _   _ _null _/1  __
  ?_Mflex.messaging.messages.CommandMessage_operation_correlationId_timeToLive_destination_m essageId_headers                body_timestamp_clientId_____ ___I415752AC-037C-B994-6A8B-70D83D552A6C
  __%DSMessagingVersion__               DSId_I3C7FD548-C11C-23D5-4A69-5DD471350E15_
  ___ _;<script>alert(56180)</script>
  HTTP/1.1 200 OK
  Content-Length: 186
  Connection: Keep-Alive
  Date: Thu, 30 Aug 2012 05:48:06 GMT
  Server: Apache-Coyote/1.1
  X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)/JBossWeb-2.0
  Content-Type: application/x-amf
  _   _ _/1/onResult  ????_
  __DSK?__;<script>alert(56180)</script>
  #_            DSId%DSMessagingVersion_I3C7FD548-C11C-23D5-4A69-5DD471350E15_??      _Bs?a'?  _!IC ??_J!??.D?4??__!AWR?_|??j?p?=U*l
  Thanks,
  Amit

  Hi,
  Please refer to the article:
  http://blogs.msdn.com/b/how24/archive/2013/05/28/cross-site-scripting-sharepoint-apps-app-parts-and-office-365.aspx
  “Since the release of SharePoint 2013 adding OData support, expanding the RESTful services and empowering the CSOM (Client side object model). Also with the addition of the Content by search web part. There are times where you will need to
  execute cross site queries or queries across multiple domains. For that Microsoft has introduced the ‘Cross-domain library (SP.RequestExecutor.js)’.”
  Please also check the thread below:
  http://social.technet.microsoft.com/Forums/en-US/29e47d18-30f6-4f15-b054-4a03f7ba5156/microsoft-windows-mhtml-crosssite-scripting-and-sharepoint-2013?forum=sharepointgeneral 
  QUOTE: “SharePoint 2013 is different from its predecessor because its already have the XSS prevention method built-in. but it is not closed the probability that the threat is gone for good, so please to keep your SharePoint environment updated by the
  latest cumulative update.”
  Regards,
  Rebecca Tu
  TechNet Community Support

• Download to excel on grid generates url with Cross Site Scripting Attack

  When we try to download to exell on a grid (8.50.18). The webserver comes back with an automaticly generated url. This url now contains the characters "%0d%0a" (CR/LF
  Our firewall/ proyserver detects this string in the url as a Cross Site Scripting Attack (XSS) and fails to shows the excell.
  This happens in all our environments (so not dependend on the domain name).
  Does anyone know a solution for this problem?

  it seems a known bug, starting from 8.50.14 and solved with 8.50.19 (also in 8.51xx)
  Unfortunately we are on 8.50.18. Its now a bad timing to update our environment.
  It seems that psppr.dll is doing the job but replacing ours with the 8.50.19 one leaves our domains unstartable.
  I guess we have to ask our network techies to make a exception rule in our internal network/ firewall to allow it.......
  Detlev

• Oracle maps cross domains

  Hello everyone,
  I am facing the following issue. I have mapviewer deployed on a serverA and a web app deployed on serverB.
  Then I call the mapviewer FOI server from the app of serverB and I get the following error message:
  *[MVThemeBasedFOIControl.foiLoaded] mapviewer-05523 cannot process response from mapviewer server. (<?xml version="1.0" encoding="UTF-8" ?> <oms_error> Requests are not allowed to be sent to this remote target URL via proxy servlet. (http://172.31.128.50/mapviewer/foi)</oms_error>)*
  I am using mapviewer Ajax API version Ver11_1_1_5_B110527.
  Has anyone experinced such errror?????????

  Ok lads,
  Seems I found the solution. Following the instructions from this post [http://oraclemaps.blogspot.com/2008/09/cross-domain-oracle-maps-scripting.html] I have 90% the solution.
  What also needs to be done is to pass the url of serverB to the mapviewer configuration file of serverA in the section <proxy_enabled_hosts>.
  At list this works for me.