Cross side scripting in Flex

Hello,
We are using flex 3.0 in our project with java1.5 and during our security testing (by a tool) we found that the Cross side scripting
can be acheived in flex. We are able to inject java scripts inside parameter AMF.Message.0.null.flex.messaging.messages.CommandMessage.8.clientId , thanks to let us know how can we solve this
issue and make our flex application out of this security issue.
The following changes were applied to the original request:
Injected '<script>alert(56180)</script>' into parameter 'AMF.Message.0.null.flex.messaging.messages.CommandMessage.8.clientId's value
Set cookie 'JSESSIONID's value to '6A0BA588B3E2663A842C9A495CFC69F9'
Set cookie 'MODCASID's value to 'XfUjTlYJ4atZwnmN2ziB88V1yYuvggHb9CKOIAFHy088F6ByRcAfLUfA8ZTAO0K89g7WHLhl9cgZHYN9wloSWunlhn mOKaWxBb0e1B6InG3tIKoUwXRhBUESdfGxGP3WIzGiPAmub0J8sTqgGH0LecYjTVJIGiVYaD13cENpMJngYk5n8UBG Y5dJpFfBYMO...(33 characters more)'
Set cookie 'WT_ST_FPC=id's value to '243135f022bc4984bcc1346284111474:lv=1346284111474:ss=1346284111474'
Set HTTP header to '6A0BA588B3E2663A842C9A495CFC69F9; MODCASID=XfUjTlYJ4atZwnmN2ziB88V1yYuvggHb9CKOIAFHy088F6ByRcAfLUfA8ZTAO0K89g7WHLhl9cgZHYN9 wloSWunlhnmOKaWxBb0e1B6InG3tIKoUwXRhBUESdfGxGP3WIzGiPAmub0J...(31 characters more)'
New request and response
POST /esample/messagebroker/amfsecure?a=1 HTTP/1.1
Cookie: WT_ST_FPC=id=2cc27004653f1b51cbf1346285874746:lv=1346285874746:ss=1346285874746; MODCASID=MHAPkwaeif8fDqMKnnrjFad8J0rQYAVYUBiufXADkB4w0Zb1HAAF0LYAz3m7WD8cEWJ4E5An3FFDdoqV U58jYuOvh2W5HvIiGzDOAmtb7gLYUzcZbaFayFUX8qvHQB0068bVohDPBnHzFbR2LXpT9B0tdDYbCq30uDPuBc00pO 5Z92cJTaQFeigxOnj2D2PB5OqqrwHeHC5bq0glVBvUvMIYUiM5ipJAkPiQ0lblZlP809ln84NjSUHNP2McbFgC3Dsy 0RDmsc9AUuCBAiyBWJBLmzM08rDNNqm25a9BDsB3u81UheSJbZBCuHSmfyTCIykCnFErjFnJ5EqinmLyEjbVl3b04v ToKs9Xqf0kjr4ESYPIBkLpdWaCjUEAuD98EcfeLPYW8aZVBXx; JSESSIONID=8BEE6BEA5DD8D17D663DEFB2B3C56D0E
Content-Length: 307
Accept: */*
Accept-Language: en-US
Referer: https://XXX/YYY/html/swf/bin/abc.swf
x-flash-version: 11,1,102,55
Content-Type: application/x-amf
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; MS-RTC LM 8)
Host: qa-my.st.com
Connection: Keep-Alive
Cache-Control: no-cache
_   _ _null _/1  __
?_Mflex.messaging.messages.CommandMessage_operation_correlationId_timeToLive_destination_m essageId_headers                body_timestamp_clientId_____ ___I415752AC-037C-B994-6A8B-70D83D552A6C
__%DSMessagingVersion__               DSId_I3C7FD548-C11C-23D5-4A69-5DD471350E15_
___ _;<script>alert(56180)</script>
HTTP/1.1 200 OK
Content-Length: 186
Connection: Keep-Alive
Date: Thu, 30 Aug 2012 05:48:06 GMT
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)/JBossWeb-2.0
Content-Type: application/x-amf
_   _ _/1/onResult  ????_
__DSK?__;<script>alert(56180)</script>
#_            DSId%DSMessagingVersion_I3C7FD548-C11C-23D5-4A69-5DD471350E15_??      _Bs?a'?  _!IC ??_J!??.D?4??__!AWR?_|??j?p?=U*l
Thanks,
Amit

Hi,
Please refer to the article:
http://blogs.msdn.com/b/how24/archive/2013/05/28/cross-site-scripting-sharepoint-apps-app-parts-and-office-365.aspx
“Since the release of SharePoint 2013 adding OData support, expanding the RESTful services and empowering the CSOM (Client side object model). Also with the addition of the Content by search web part. There are times where you will need to
execute cross site queries or queries across multiple domains. For that Microsoft has introduced the ‘Cross-domain library (SP.RequestExecutor.js)’.”
Please also check the thread below:
http://social.technet.microsoft.com/Forums/en-US/29e47d18-30f6-4f15-b054-4a03f7ba5156/microsoft-windows-mhtml-crosssite-scripting-and-sharepoint-2013?forum=sharepointgeneral 
QUOTE: “SharePoint 2013 is different from its predecessor because its already have the XSS prevention method built-in. but it is not closed the probability that the threat is gone for good, so please to keep your SharePoint environment updated by the
latest cumulative update.”
Regards,
Rebecca Tu
TechNet Community Support

Similar Messages

  • Cross-frame scripting is not working in Safari 3.0.4. Minimal example code.

    Hello,
    I've found that cross-frame scripting is not working in Safari 3.0.4, as it worked
    ok on Safari 3.0.1, and in other browsers I tried: Firefox, Mozilla, IE.
    document.domain property is set to "ds2ps.net", correctly to the best of my knowledge
    in the frameset and in both frames. Both frames and frameset are loaded
    from subdomains of the same domain "ds2ps.net"
    Please have a look at this mimimal example:
    http://frameset.ds2ps.net/frames-test/frameset.html
    Press buttons to get alert with value of a variable defined in the frameset
    and in the first frame.
    This gives "undefined" in Safari 3.0.4, and give following message in Safari
    JavaScript console:
    Unsafe JavaScript attempt to access frame with URL http://frameset.ds2ps.net/frames-test/frameset.html from frame with URL http://frame2.ds2ps.net/frames-test/frame2.html. Domains, protocols and ports must match.
    Works ok in all other browsers and in earlier versions of Safari.
    Apperently, I'm doing something incorrectly.
    I would appreciate if Apple Safari developers have a look at this problem and suggest solution.
    My company is developing web application which depends on cross-frame scripting,
    and we would like to continue supporting Safari browser.
    Thank you,
    John

    Thank you, iBod,
    We've submitted this bug at http://bugs.webkit.org
    Bug 16444: Cross-frame scripting not working in Safari 3.0.4 despite proper document.domain set in all frames
    Thank you for your suggestion!

  • CS3 (WIN) Cross referencing script

    Today I downloaded a cross-referencing script created by Teus do Jong, and I have found it to be of great use, but when it comes to using the script with linked and formatted copy (Word) and tables (Excel), it does not work (destinations are lost). Is there a work around for this situation besides typing copy directly into InDesign and setting up hyperlinks? It is essential that I'm able to update links, as my catalog production cycle nearly always requires it, and when pages are moved, deleted, etc., it takes a lot of time to update figure and page references in linked files.
    Thanks,
    Pat

    Teus has got me set up with a script that works great. With the script, I am able to type a reference to a destination created in InDesign, and when the script runs, it inputs and updates pages numbers for figures, etc. Now I can make as many references to anything I want to in InDesign via Word, and page numbers are input as necessary. If pages are added or removed, or if a figure (destination) is moved, all I have to do is run the script again and all is made current.
    I am not at liberty to redistribute the script per Teus' request, but I would like to refer anyone to Teus' web site when he can be reached (http://www.teusdejong.nl/).

  • Error 408 on saving server side script

    When I save my server side scripts via the azure portal I receive an error 408 on one of my mobile services account. The same problem occurs when trying to create a new custom api, for example:
    The following API was not created: 'user'. Error 408
    At first I thought there was a problem with the azure service, but it seems to only occur on this one specific mobile service. I think it started after I added a dependency to the package.json file. But that could have been coincidence. The exact same dependency
    doesn't cause any problems on another mobile service.
    Looking at the deployment logs I do see an error occured during deployment, however I have no idea what caused it:
    <entry time="2015-01-13T15:52:18.9642615Z" id="1223e0a4-bb6a-4cb1-938e-835ad4cf4761" type="1">
    <message>npm http 304 https://registry.npmjs.org/delayed-stream/0.0.5</message>
    </entry>
    <entry time="2015-01-13T15:52:20.3087714Z" id="8f7719a5-aa24-4743-8240-446dc47b69a9" type="1">
    <message>npm ERR! error rolling back Error: ENOTEMPTY, rmdir 'D:\home\site\wwwroot\App_Data\config\scripts\node_modules\azure\node_modules\request\node_modules\hawk\images'</message>
    </entry>
    <entry time="2015-01-13T15:52:20.3869327Z" id="8ede872b-daab-4127-bc72-bfb890dc7648" type="1">
    <message>npm ERR! error rolling back [email protected] { [Error: ENOTEMPTY, rmdir 'D:\home\site\wwwroot\App_Data\config\scripts\node_modules\azure\node_modules\request\node_modules\hawk\images']</message>
    </entry>
    <entry time="2015-01-13T15:52:20.511891Z" id="47245fe1-ad7d-4e99-a467-75dd9fa18232" type="1">
    <message>npm ERR! error rolling back errno: 53,</message>
    </entry>
    <entry time="2015-01-13T15:52:21.8254287Z" id="9288c66b-d8bb-4179-82fd-02b08546d507" type="1">
    <message>npm ERR! error rolling back code: 'ENOTEMPTY',</message>
    </entry>
    <entry time="2015-01-13T15:52:23.7804257Z" id="c23a4cc5-e497-4b8c-84fc-0c6c304ff29a" type="1">
    <message>npm ERR! error rolling back path: 'D:\\home\\site\\wwwroot\\App_Data\\config\\scripts\\node_modules\\azure\\node_modules\\request\\node_modules\\hawk\\images' }</message>
    </entry>
    <entry time="2015-01-13T15:52:23.9366651Z" id="a14fdc0d-be4d-4b14-a479-ffa6a36e36b7" type="1">
    <message>npm ERR! Error: ENOENT, lstat 'D:\home\site\wwwroot\App_Data\config\scripts\node_modules\azure\node_modules\request\node_modules\hawk\images\logo.png'</message>
    </entry>
    <entry time="2015-01-13T15:52:23.9679168Z" id="337c4826-caff-4d99-9f92-5464ce8cc99a" type="1">
    <message>npm ERR! If you need help, you may report this log at:</message>
    </entry>
    <entry time="2015-01-13T15:52:23.9835398Z" id="46ecc393-37b3-4cf9-a859-12f76f9c030a" type="1">
    <message>npm ERR! &lt;http://github.com/isaacs/npm/issues&gt;</message>
    </entry>
    <entry time="2015-01-13T15:52:23.999164Z" id="5fac5a33-7872-4ec8-9e0b-ce9c9f240ed4" type="1">
    <message>npm ERR! or email it to:</message>
    </entry>
    <entry time="2015-01-13T15:52:24.0304132Z" id="2224019c-bfbf-48a6-90ff-59680d7e6047" type="1">
    <message>npm ERR! &lt;[email protected]&gt;</message>
    </entry>
    <entry time="2015-01-13T15:52:24.0460472Z" id="ea8d4851-85e1-48cf-91f7-6be16a597af1" type="1">
    <message></message>
    </entry>
    <entry time="2015-01-13T15:52:24.0616631Z" id="09eaab34-9f11-496c-8f50-309bdc314c96" type="1">
    <message>npm ERR! System Windows_NT 6.2.9200</message>
    </entry>
    <entry time="2015-01-13T15:52:24.0929218Z" id="d646da46-b3b2-4379-8d44-a735cb0a9907" type="1">
    <message>npm ERR! command "D:\\Program Files (x86)\\nodejs\\0.10.32\\node.exe" "D:\\Program Files (x86)\\npm\\1.2.30\\node_modules\\npm\\bin\\npm-cli.js" "install" "--production"</message>
    </entry>
    <entry time="2015-01-13T15:52:24.1085411Z" id="d60966f6-446f-49a8-97fc-0f38c27a8ba3" type="1">
    <message>npm ERR! cwd D:\home\site\wwwroot\App_Data\config\scripts</message>
    </entry>
    <entry time="2015-01-13T15:52:24.1241618Z" id="10815e3a-3e4c-48c7-aac1-1c3cb5252505" type="1">
    <message>npm ERR! node -v v0.10.32</message>
    </entry>
    <entry time="2015-01-13T15:52:24.1554232Z" id="0de65cd4-815b-4c3f-a31f-167c1e152d07" type="1">
    <message>npm ERR! npm -v 1.2.30</message>
    </entry>
    <entry time="2015-01-13T15:52:24.1710425Z" id="0f993ac5-8cfb-494e-8982-d998020886c0" type="1">
    <message>npm ERR! path D:\home\site\wwwroot\App_Data\config\scripts\node_modules\azure\node_modules\request\node_modules\hawk\images\logo.png</message>
    </entry>
    <entry time="2015-01-13T15:52:24.1866604Z" id="0caad3ad-2379-4fe3-845e-3399eddb616e" type="1">
    <message>npm ERR! fstream_path D:\home\site\wwwroot\App_Data\config\scripts\node_modules\azure\node_modules\request\node_modules\hawk\images\logo.png</message>
    </entry>
    <entry time="2015-01-13T15:52:24.217915Z" id="40d4f06a-bc1c-4f08-b4df-77d873ee9170" type="1">
    <message>npm ERR! fstream_type File</message>
    </entry>
    <entry time="2015-01-13T15:52:24.2335402Z" id="5a4b280b-b082-4d82-9575-f8cb178b9745" type="1">
    <message>npm ERR! fstream_class FileWriter</message>
    </entry>
    <entry time="2015-01-13T15:52:24.2491849Z" id="2703e3b8-4590-4ff5-888d-b3a7843b2bf6" type="1">
    <message>npm ERR! code ENOENT</message>
    </entry>
    <entry time="2015-01-13T15:52:24.2804115Z" id="e3202f5b-5f42-4494-8b1c-d86a5884f1e0" type="1">
    <message>npm ERR! errno 34</message>
    </entry>
    <entry time="2015-01-13T15:52:24.2960331Z" id="fe0a0140-4cd3-4102-8197-d569d299e967" type="1">
    <message>npm ERR! fstream_stack D:\Program Files (x86)\npm\1.2.30\node_modules\npm\node_modules\fstream\lib\writer.js:284:26</message>
    </entry>
    <entry time="2015-01-13T15:52:24.3116669Z" id="07059322-a9ce-420f-bde4-850cd4527447" type="1">
    <message>npm ERR! fstream_stack Object.oncomplete (fs.js:107:15)</message>
    </entry>
    <entry time="2015-01-13T15:52:24.3429074Z" id="69129620-b805-4c22-8fb3-cefbe08d66d4" type="1">
    <message>npm ERR! Error: EPERM, chmod 'D:\home\site\wwwroot\App_Data\config\scripts\node_modules\azure\node_modules\request\node_modules\form-data\node_modules\combined-stream\node_modules\delayed-stream\lib\delayed_stream.js'</message>
    </entry>
    <entry time="2015-01-13T15:52:24.3585325Z" id="84ca01c0-06d9-48b6-9e57-703dd29718f2" type="1">
    <message>npm ERR! { [Error: EPERM, chmod 'D:\home\site\wwwroot\App_Data\config\scripts\node_modules\azure\node_modules\request\node_modules\form-data\node_modules\combined-stream\node_modules\delayed-stream\lib\delayed_stream.js']</message>
    </entry>
    <entry time="2015-01-13T15:52:24.3741576Z" id="d86b04ac-7bf3-4388-8ee3-d97d7e296302" type="1">
    <message>npm ERR! errno: 50,</message>
    </entry>
    <entry time="2015-01-13T15:52:24.4054063Z" id="f6143c63-fe6d-48f4-b734-a52fe92e8f5a" type="1">
    <message>npm ERR! code: 'EPERM',</message>
    </entry>
    <entry time="2015-01-13T15:52:24.421031Z" id="455275dd-3b61-41de-b987-7e56ee68bc05" type="1">
    <message>npm ERR! path: 'D:\\home\\site\\wwwroot\\App_Data\\config\\scripts\\node_modules\\azure\\node_modules\\request\\node_modules\\form-data\\node_modules\\combined-stream\\node_modules\\delayed-stream\\lib\\delayed_stream.js',</message>
    </entry>
    <entry time="2015-01-13T15:52:24.4522803Z" id="980e3f64-1dc2-4a91-85a8-9b0349f93517" type="1">
    <message>npm ERR! fstream_finish_call: 'chmod',</message>
    </entry>
    I've been trying to save my scripts for the better part of a day, so any help would be greatly appreciated.

    Second day and I still can't save my scripts and thus not able to continue my work. Is there anyone from microsoft that could shed some light on this problem? For some reason adding dependencies to the node.js project stops it from being able to deploy.

  • DOM Based Cross-Site Scripting issue in RoboHelp 10

    We're using a WebHelp system originally deplyed using RoboHelp 9.0.2.271, and a recent security scan revealed the DOM based cross-site scripting issue.
    I recently upgraded to RoboHelp 10, migrated my help system to this version, and redeployed the system, but our security scan is still detecting the cross-scripting vulnerability in WebHelp. Wasn't this issue resolved in RoboHelp 10?
    Thanks

    Hi,
    I’m not a security expert, but this script reads the URL of the current topic and redirects to the current topic with a bookmark. This is needed for when the same topic is used in multiple locations in the TOC.
    I’ll ask around about this security issue.
    Greet,
    Willam

  • Cross-site scripting vulnerability RoboHelp 10 version

    Has the cross-site scripting vulnerability been addressed in the RoboHelp 10 version

    To the best of my knowledge it was addressed in Rh9. Rh10 has an HTML5 output option that does not use frames.
    However, if security is a concern, then only a security expert can give you the assurance you require.
    Personally I have yet to hear of webhelp being used maliciously but that does not mean it hasn't happened.
    See www.grainge.org for RoboHelp and Authoring tips
    @petergrainge

  • Due to the presence of characters known to be used in Cross Site Scripting

    I am getting following error when I try to send single quote as part of URL. I tried javascript escape to encode the URL. But still getting same error. Does anybody know workaround for the issue. Thanks
    Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
    403: Access Forbidden
    Your client is not allowed to access the requested object

    FYI. We are using IIS Webserver and Weblogic Appserver.
    When the page is accessed through Weblogic , cross site script does not occur. It happens when the page is rendered via IIS.

  • Can we access popularity trends using client side script?

    Hi, 
     I have a requirement to show the hit count for my image library's item(s). When ever I am opening an image from the image library, I just wanted to show the hit counts. For this I have created a Number column and updating this column by using CSOM
    when ever hit happens to that particular item. 
    The problem arises here, for visitors ( who has read only permission to the site) I am not able to update the column due to permission issue. Since we all know that we can't elevate the privilege from client side script. And also our design says that we
    can't give the contribute permission to all the users at the library level. How can we update the count at item level even when the visitors are opening an item from the image library? 
    Please help me... 
    Thanks in advance
    Sekar - Our life is short, so help others to grow
    Whenever you see a reply and if you think is helpful, click "Vote As Helpful"! And whenever
    you see a reply being an answer to the question of the thread, click "Mark As Answer

    972454 wrote:
    can we access 11gr2 oracle using 11g r1 OWB Client? NO .. Oracle 11gR2 db is accessible only from OWB11gR2 client
    we have 11g r1 database installed on our machine, and 11g r2 OWB client on other machine.
    Please help. we are unable to connect.
    Sorry this is different from your 1st question.
    For your information OWB11gR2 client can access 11g r1 database
    Regards
    Gaurav

  • Does URL Services support client side script?

    My ASP page it built as a portlet, and displays fine but it
    won't submit. When I view the Source in my browser, Portal
    didn't include any of my client side vbscript script, then html
    is there but everything else is missing....
    Question: Does URLServices support client-side VBScript?
    I am using some vbscript for validation purposes and then
    using the document.ChangePassword.submit() to submit the
    form.
    If URLServices doesn't support it, then URLServices is totally
    useless... Everyone uses some kind of client-side script to
    validate the form!

    Hi Rea,
    Per my understanding you want to know some information about using the Visual Studio to do the debugging, right?
    Example, If you want to debug a customized extension for SQL Server Reporting Services(SSRS) in Visual Studio, you can attach the process to ReportingSerivcesService. We need to check the items "Show processes from all users" and "Show
    processes in all sessions" to show the "ReportingSerivcesService. exe" process.
    Additionally, please make sure the customized extension is invoked in the Reporting Services(make sure all configurations is set correctly), otherwise we won't be able to run into the breakpoint. More Details information in this article for your reference:Start
    a debugging session for a Store app in Visual Studio (VB, C#, C++ and XAML)
    You can also add the debugger keyword in the code, see
    Debug JavaScript and jQuery using Visual Studio in Internet Explorer browser
    Similar thread below for your reference:
    https://social.msdn.microsoft.com/Forums/sqlserver/en-us/df9dfaab-59af-4a85-916c-ef9e11e07071/debug-custom-net-assembly-in-context-of-sql-reporting-server-2008?forum=sqlreportingservices
    If you still have any problem, please feel free to ask.
    Regards
    Vicky Liu

  • Server side script not running on stand-alone XE

    Hello,
    In my application I created a Server side script (AJAX) which presents a select-list based on other fields on the page. The very same application runs on a 10g+APEX3.0.1 database AND on a standard XE+APEX2.1 database, which are both accessed via a HTTP-server. The application with the script runs fine on this platform (XP).
    I have two other XP-machines on which I also installed XE+APEX2.1. Both are stand-alone versions NOT accessed via a HTTP-server. I installed exactly the same application which runs on the platform with HTTP server on both of the machines. While testing the correct functioning, I noticed that everything works ok, EXCEPT the server side script which gives me a better select list. Instead of this I get the old-fashioned version of the select-list which is not able to use the value elsewhere on the page.
    I found a similar problem on the XE forum (Re: Server side scripts features ) but it doesn't answer my question how to get the script working on a standalone version of XE (= without access via a HTTP-server).
    Can anybody please help me?
    Thanks & regards,
    Jan.
    Message was edited by: Jan
    J. Hulsing

    Carl,
    Thanks for your suggestion to install FireFox and the Firebug tool (which I wasn't aware of).
    After having looked at the problem for hours, I found what I think is the problem: the htmldb_html_elements.js script.
    As already mentioned, the properly functioning XE on my local PC is accessed via a HTTP-server, as well as the 10gR2+APEX3.0.1 version also running on that PC.
    On the laptop, not running HTTP-server, I get the message: <br>
    <FONT COLOR="RED">$x is not defined <BR>
    <FONT COLOR="BLUE"> f_21_select_kpn<FONT COLOR="RED">(<FONT COLOR="BLUE">input<FONT COLOR="BLACK">#P21_GBREKNR 405<FONT COLOR="RED">, "P21_KOSTENPOST") <BR>
    <FONT COLOR="BLUE">onblur<FONT COLOR="RED">(<FONT COLOR="BLACK">blur <FONT COLOR="RED">)
    </FONT><BR>
    That is in the 'Console' of Firebug.
    When changing to Script I do see a remarkable difference.
    On the PC there the following text is found in the first lines of htmldb_html_elements.js:
    /*htmld_elements will contain the lower level html access js*/<br>
    var gDebug = true;<br>
    var gkeyPressTime;<br>
    var gLastTab=false;<br>
    var gRegex=false;<br>
    var ie=(document.all)?true:false;<br>
    if(ie){document.expando=true;}<br>
    var gDebugWindow = false;<br>
    /*<br>
    $x functions have to do with either single elements or array of elements<br>
    $v functions have to have to do with manipulating values or interaction based off a value<br>
    $xml function have to do with manipulating xml values<br>
    $a functions are based on ajax<br>
    $d functions are specific dhtml constructs<br>
    */<br>
    /* begin $x functions */<br>
    function $x(pNd){<br>
    try{<br>
    var node;<br>
    ...<br><br>
    On the laptop however the first few lines are:<br><br>
    /*htmld_elements will contain the lower level html access js*/<br>
    <br>
    var gDebug = true;<br>
    var gkeyPressTime;<br>
    var gLastTab=false;<br>
    var gRegex=false;<br>
    if(document.all){document.expando = true;}<br>
    // Elements //<br>
    <br>
    function html_GetElement(pNd){<br>
    try{<br>
    var node;<br>
    switch(typeof (pNd)){<br>
    ...<br><br>
    I think that the difference is in these two scripts.
    But why are the scripts different: it is the same XE that is installed on the laptop and the PC.<br>The answer I found in the images/javascript directory of APEX3.0.1 which is located in the APACHE directory-tree (you have to copy the images to APACHE when you use the HTTP-server). And indeed: the htmldb_html_elements.js has exactly the same text as what I see in Firebug on the PC. So XE on the PC is using the javascripts in the image-directory of APACHE on the PC and not the XE-version of the scripts, embedded in XE.
    <br><br>
    So the answer seems to be: copy the APEX3.0.1 versions of the script over to the PC and try to get them into the database. Or...???
    <br>
    Can it be loaded into the database? Will XE accept it?
    <BR><br>
    Would be nice to have answers if the conclusion I found is the right one and if it can be fixed by loading the js into XE.
    <br>
    Best regards and thanks for your help so far.
    <br>
    Jan.

  • Cross-site Scripting Vulnerability OAS-10g/10.1.2.0.0 OHS

    Has anyone confronted the Cross-site scripting Vulnerability with 10g and OHS 10.1.2?
    We are about to put our first APEX box into production, but we need to fix this vulnerability first.
    I did some searching around but failed to come up with anything useful. It could be my searching sucked, too.
    Any thoughts / help / ideas would be greatly appreciated.
    Thanks.

    Hi,
    Do you get this error when you try to run forms configured using OAS 10g 10.2.0.2.
    We run a Web application using OAS 10g 10.2.0.2 and after leaving the application idle, more than half an hour, ora-12152 is displayed and the application is in a deadlock.
    Can you please suggest any solution for the same.
    Should the SQLNET.AUTHENTICATION_SERVICES= (NTS) be commented in sqlnet.ora file.
    Sridharrs

  • Cross site scripting errors in RoboHelp 8.0

    We are using Robohelp 8.02, generating webhelp for a web application. Development just started to use Fortify to identify security vulnerabilities. The Fortify software found 17 Robohelp htm files with cross-site scripting security holes. We are NOT using RoboHelp Server 8.
    Before creating this posting, I searched the forums and found one post from Feb 2010 (Beware -serious - cross site scripting errors in Robohelp 8.0).
    From reading that posting, it appears that an Adobe engineer was involved----I'm not clear on the final outcome for this issue.
    Any additional information on the final resolve for this issue would be helpful.
    Thanks,
    Beware - serious breach - cross site scripting errors in RoboHelp 8.0

    The previous poster indicated that Tulika, who I can confirm is an Adobe engineer, stated "when she reviewed the code that was triggering the Fortify cross site scripting errors, she came to the conclusion that it was not actually harmful." The poster also indicated their opinion was the other errors were minor.
    That seems clear enough so I wonder what value is anything that anyone here can add? The forum responses are from other users and I would have thought any further assurance beyond the above is something your management would want to come from Adobe.
    I have not seen anything on these forums indicating that any attack has been triggered.
    See www.grainge.org for RoboHelp and Authoring tips
    @petergrainge

  • Identifying Flash Player versions 10a, 10b and 10c using client side scripting

    I need to write a client side script to identify users with 10a, 10b or 10c installed, but I only see version 10 (no letters.) Is there a translation between version keys major/minor/revision, and 10a/10b/10c? I want to use the (IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash"))) method in conjuction with the javascript.GetVariable("$version") method, and I need to know what values to check for.
    Thanks very much!

    For your information
    Flash10.ocx  / FlDbg10.ocx  = 10.0.2.54   Shipped with CS4
    Flash10a.ocx / FlDbg10a.ocx = 10.0.12.36
    Flash10b.ocx / FlDbg10b.ocx = 10.0.22.87
    Flash10c.ocx / FlDbg10c.ocx = 10.0.32.18
    Flash10d.ocx / FlDbg10d.ocx = 10.0.42.34

  • HTLM Tag Injection - Cross Site Scripting

    Hello,
    I have a basic app with JSP pages and Servelts running on Tomcat. I been told my application in vulnerable to tag injection that could be used to cross site scripting & phishing attacks. What is the best way to prevent these kind of attacks? Is there something in java or do I need to add code? Does Tomcat have anything built in to prevent this?
    Thank you!

    If you don't display content from users then you're unlikely to have issues. If you do (even usernames) then you have to clean the input. That's non-trivial and there's no way to automate it for all cases so there's nothing built in to do it.

  • Download to excel on grid generates url with Cross Site Scripting Attack

    When we try to download to exell on a grid (8.50.18). The webserver comes back with an automaticly generated url. This url now contains the characters "%0d%0a" (CR/LF
    Our firewall/ proyserver detects this string in the url as a Cross Site Scripting Attack (XSS) and fails to shows the excell.
    This happens in all our environments (so not dependend on the domain name).
    Does anyone know a solution for this problem?

    it seems a known bug, starting from 8.50.14 and solved with 8.50.19 (also in 8.51xx)
    Unfortunately we are on 8.50.18. Its now a bad timing to update our environment.
    It seems that psppr.dll is doing the job but replacing ours with the 8.50.19 one leaves our domains unstartable.
    I guess we have to ask our network techies to make a exception rule in our internal network/ firewall to allow it.......
    Detlev

Maybe you are looking for

  • HP Photosmart C6280 All-in-One Printer CIT248813-HPU-REDBOX-v4.exe error

    Using-Microsoft Windows XP Professional SP3, Network connected In HP Digital imaging monitor: Went to Help>Check for updates  Update file CIT248813-HPU-REDBOX-v4.exe downloads, but after it looks like its installing, I then get the following error me

  • Formatting a string and number?

    I have a to use the method toString() which calls getPay(). getPay() gives a double value of the employee pay. This is what I have for the toString() method: abstract class Employee{ private String name; private double pay; Employee(String n) name=n;

  • 2 decimal places in alv output

    Dear Experts, I need to display an quantity value with 2 decimals places in output. I have tried many options like, 1.wa_fieldcat-decimals = '2'. 2.wa_fieldcat-decimals_o = '2'. 3.wa_fieldcat-ref_table = 'VBAP'.   wa_fieldcat-ref_field = 'NETPR'. But

  • Reading Charact. Selection in Planning Level using Exit Var FM

    Hi Expert, i have to do a data slice with an Exit Variable that looks at selected data in the planning level and check in a custom table if the corresponding charact in the level is flagged in order to fill the variable with this value and lock data.

  • Is Forum Search not working?

    I have been trying to search the RoboHelp forums and no matter what I enter, I get no search results. Is this not working for some reason? I have cleared my browser history and closed/opened my browser. I have signed off and signed back on. I get no