HDIV does not exclude params from validation - hdiv

I am using HDIV 2.1.9 with spring and I have the following config
<hdiv:paramsWithoutValidation>
<hdiv:mapping url="/secured/content/*." parameters="data"/>
</hdiv:paramsWithoutValidation>
Under /secured/content/ URL i have a lot of pages with input text areas with name data that are used to store content from html jscript editors (sumernote). The HDIV does not exclude the data parameter from posts and every time I try to save the html data the hdiv access exception produced.
How can I configure the HDIV correctly to exclude the data input from validation?
It would be great if there is any option for HDIV to allow safe html text from editors ( without script tags or other dangerous xss code ). It is not very flexible to produce HDIV violation even for inline style tags produced by jscript editors. A modern web app almost always contain a text area that allow basic html code.

You are disabled Integrity validation in these 'data' parameters but not the Editable validation.
Find the doc here: http://www.hdiv.org/hdiv-documentation-single/doc.html#configuration-editabledata
You have to add this config option to disable all validation rules for the given parameters:
<hdiv:editableValidations>
<hdiv:validationRule url="/secured/content/.*" parameters="data" enableDefaults="false"></hdiv:validationRule>
More rules...
</hdiv:editableValidations>

Related

Can exams2moodle export additional metainfo such as idnumber and tags?

When I export the xml file of a multiple choice question, it contains the following lines:
<idnumber>arbitrary_id_set_by_user</idnumber>
<answernumbering>ABCD</answernumbering>
<tag></tag>
Is there a way to add idnumber, answernumbering and tag to the metainformation section of the question so that r-exams can export to moodle XML as <idnumber>idnumber</idnumber>,<answernumbering>ABCD</answernumbering>, <tag>tag1</tag>, and <tag>tag2</tag> etc?
The <answernumbering> tag can be set in exams2moodle() via the answernumbering= argument, see ?exams2moodle. The reason for this is that this is set in the same way for all exercises in a quiz. This is more consistent than setting it individually and potentially inconsistently in the meta-information of the different exercises.
The <idnumber> tag appears to be used by Moodle only for internal purposes. It is also not mentioned in the official Moodle XML documentation at https://docs.moodle.org/311/en/Moodle_XML_format. Hence we did not implement it in exams2moodle().
The <tag> is currently not supported in exams2moodle() because we felt that it would be more important to have tags in the Rmd (or Rnw) exercise itself and not the Moodle version of the exercise. For structuring the content on the Moodle side the exsection meta-information can be used, see boxhist for a worked example.
Finally, you can add arbitrary metainformation by using the exextra tag. This is used, for example, in the essayreg exercise template. However, there is no general way of using this extra metainformation to insert additional XML code in the exams2moodle() output. To do that, the source code underlying exams2moodle() would have to be adapted correspondingly.

TYPO3 8, Form extension - best practice for custom yaml files

When generating forms with the form module the corresponding yaml files get stored in fileadmin/user_upload.
Now I want to integrate those yaml files into my sitepackage and thus into my CVS. Where is the correct place for them? In the example extension they are stored in Resources/... while I would think they have to go into Configuration/Yaml
And how do I configure the form extension to search them in that place?
While it's basically a matter of taste where exactly one saves his form definitions, I try to separate form configuration and form definitions.
From the official documentation:
[...] the form configuration allows you to define:
which form elements, finishers, and validators are available,
how those objects are pre-configured,
how those objects will be displayed within the frontend and backend.
In contrast, the form definition describes the specific form,
including
all form elements and their corresponding validators,
the order of the form elements within the form, and
the finishers which are fired as soon as the form has been submitted.
Furthermore, it defines the concrete values of each property of the mentioned aspects.
So, for more clarity I save all form configuration in a sitepackage under Configuration/Yaml/ and the form definitions under Resources/Private/Forms, neighbouring the templates.
I wrote a full tutorial how to use custom templates with EXT:form, which also includes the answers to your question.
In short:
Register YAML configuration with TypoScript in your extension root folder as ext_typoscript_setup.txt (as recommended1)
plugin.tx_form.settings.yamlConfigurations {
100 = EXT:my_extension/Configuration/Yaml/CustomFormSetup.yaml
}
module.tx_form.settings.yamlConfigurations {
100 = EXT:my_extension/Configuration/Yaml/CustomFormSetup.yaml
}
CustomFormSetup.yaml – setting up a new storage path
TYPO3:
CMS:
Form:
persistenceManager:
allowedExtensionPaths:
10: EXT:my_extension/Resources/Private/Forms/
allowSaveToExtensionPaths: true
allowDeleteFromExtensionPaths: true
1TypoScript inside an ext_typoscript_setup.txt is automatically loaded in both frontend and backend of your TYPO3 installation directly after installing your extension. This differs from other TypoScript files, which have to be included manually, e.g. as static templates. See official Form Framework documentation.
I'd suggest Resources/Private/Forms for your form definitions. The form extension clarifies how to register additional form definition paths.

How can we get value from DOM Properties in JMeter?

I'm trying to record a scenario of SAP CRM.
But I have a problem due to that everytime I login SAP CRM generates a new hashed token and will be used in URL like below:
See Image 1 Here
I tried to check where is the information stored, and in firebug and I found it in DOM tab:
See Image 2 Here
Is there any way to get the value from this DOM Properties using Jmeter?
Usually the choices are in:
CSS/JQuery Extractor
XPath Extractor
Regular Expression Extractor
Choose the one, you're most familiar with. Usually it is Regular Expression Extractor, however parsing HTML with regular expressions is not a good idea, moreover you will be very sensitive to DOM changes (part of the element goes to next line, attributes change positions, etc.).
So I would recommend choosing between CSS and XPath, but choose them wisely. I.e. if the number of styles on the page is not too big - go for CSS, if there are a lot of styles but the DOM itself is not very complicated - choose XPath.

XSS- Cross-Site Scripting: DOM issue

Fortify scan caught this below error as critical. can some please help ?
switchcontent.loadpage=function(page_request, header){
var innercontent=document.getElementById(header.id.replace("-title", "")) //Reference content container for this header
innercontent.innerHTML=switchcontent_ajax_msg //Display "fetching page message"
if (page_request.readyState == 4 && (page_request.status==200 || window.location.href.indexOf("http")==-1)){
innercontent.innerHTML=page_request.responseText
header.ajaxstatus="loaded"
}
}
what change would be needed to fix this code for avoiding XSS ? Any help is greatly appreciated. thank you.
In the responseText are HTML tags inserted or is it just text you want to insert/change? s a rule of thumb always sanitize/encode all user input and output that is generated from user input. If it's only text that you're inserting use document.createTextNode (example) and append the text to the element's needed (always encoded also), I would recomend using jQuery .text() as with pure javascript it's kind of cumbersome. If it's HTML that is needed to be inserted be sure it's not user input as this is a vulnerability. If the text needs to be from a user use a whitelist to check that the user is only writing tags that you are expecting for example <p></p>.
Fortify treats this as a vulnerability because if a user sends in the responseText <script>alert('XSS')</script> the page will render this as HTML and the script will be executed if you encode this it would just appear as text and not be executed, not only scripts can be executed but HTML will be rendered also and deform your page. You can read more in: OWASP DOM Prevention Sheet
Points:
1: ALWAYS ENCODE USER INPUT!
2: If it's just text create text nodes and append them to the element to make this easier use jQuery if possible function .text() not .html() as the .htlm() function will render the HTML.
3: If it's user generated HTML sanitize malicious tags agains a WHITELIST you can do blacklist but blacklists are not that safe as there are always tags you could forget to check against.
4: If the HTML is server generated and has not user input you should be fine.
5: Know that Fortify is just a scanning tool and it has false positives, so if you have the right countermeasures you should be XSS free.
Whitelisting: Checking agains a list of available tags. Only letting tags that you know the user can use like <p></p><br/>.
Blacklisting: Checking against a list of "not welcome" tags. This means having a list with tags you don't want to let the user use.

Zend_Translate : How can be done with zend framework translation that will translate each expression according his html id?

I beginner in zend framework and its a bit hard for me to understand zend_translate how its works.
My Main Question:
How can be done with zend framework translation that will translate each expression according his html id and how non programmer translator can see word location in web browser for translate each expression according his content.
My Sub Questions:
1.How to update additional fields of csv file that holds translation of website?**
2.webpage original word url can not be seen in browser because he sub view that appear in parent form etc
If i have mistakes or you have better solution etc.. please write it.
My targets and partly solutions:
1.Give to non programmer making translation - I choose csv file.
2.Translate separately each word/expression according her appearance context on page and element id- I add columns webpage url and html id to csv file.
(But I have problem that sometimes webpage url can not be seen in browser because he sub view that appear in parent form etc..)
Example1:
view.phtml
........<div id="view-error"><?php translate("error was produced by empty") ?></div>....
......<div id="view-user-firstname"><?php translate("First Name") ?></div>....
My Implementation plan without zend code (I don't know how to do that with zend):
csv files columns names:
1.original word - original word that taking from the page to translate
<?php echo translate($original_word) ?>
2.spain/sweden translation - translation of original word
3.webpage url- webpage link to word translation location
(For translator important to know the location of word to check in which context she used)
4.html id - the id of html div/span/etc.. of translated word
||original word || spain translation ||sweden translation || webpage url || html id ||
Thanks
A regular practice is to have a separate file for each context.
For example each module can have its own translation source file
if you have modules like
modules/user
modules/categories
modules/products
modules/checkout
then you can create appropriate file for each module with all the phrases needs to be translated.
user.cvs
categories.cvs
products.cvs
checkout.cvs
It is not recommended to use URL because in most cases same phrases are used on many pages inside one specific module. So its better to provide a set of screenshots for translator of each page from the specific module.