Preventing XSS by filtering data from the server to the client

Before you immediately comment “you can’t trust the client!”, please read the whole question.

I’ve been reading about how to prevent XSS attacks lately, and everything I’ve found says that the server should sanitize the data that will be put into the webpage. This would basically look like addToDatabase(filter(userResponse)). Then the client can safely add display anything that it gets from the server.

I was wondering if it would be safe to store the potentially unsafe data in the server, and have the client filter it when it was received, like addHTML(filter(serverResponse)). This would stop the data from being executed client-side, so no XSS would take place. I understand that anyone could simply remove that filter, however all that would do is make themselves vulnerable. Since other clients would filter anything sent to them, a malicious client could could only disable their own filter and mess up themselves. (I’m not talking about SQL injection prevention, that would be obviously have to be server-side)

To summarize: The server doesn’t sanitize, but the clients sanitize whatever they receive.

Would this be safe?

Is filtering on int better than filtering on date

I have a system where most of our table has the current datetime as primary key and we filter most of the data based on the datetime.

The question, if I move this datetime to another new table and have an auto id in the new table. for eg.

Dates id datetime 1  11/6/2019 2  11/7/2019 3  11/4/2019 4  11/8/2019 

Now all the other tables will have id instead of datetime and filtering will be based on the id.

Will this improve performance or filter on a datetime is equal to filter on int?

I am using SQL Server 2018.

Filtering options for a combobox

I currently have a log-on dialogue box which I present to users when they wish to log onto a target system. As I have quite a number of possible target systems, I offer them a combobox in which they can type the first few letters of their chosen target system. This currently looks like the following:

enter image description here

Some of these target systems have an attribute which means that the user does not need specify their password on connection (SSO), these are listed with a slightly different display name (in the example above, I have denoted it in brackets after the system name).

I was thinking to make things a bit easier for the users to select an SSO system, that I would add a checkbox to filter the list of system names in the combobox, so only SSO entries were shown, so something like the following:

enter image description here

The only issue with the above is that for some reason it doesn’t look as intuitive as it could be (in my opinion) because as dialogues flow from left to right, top to bottom, you have to immediately go right to check the box, then left to choose your system.

Is there a nicer way to present this filtering option to users?

User’s CLI input validation for filtering out injection attacks

I am writing a python script, Gestioner.py, which checks for some service CLI commands and validates them if they are suppported or not.

I am also trying to develop a test harness to verify and test such possible security attacks Like Injection attacks, Gest_Test.py, and see that if my earlier Gestioner.py should be able to stop/filter out injection attacks.

My question is :

How can I further add such security attacks filtering functionality in ‘Gestioner.py’, to stop any security injection related inputs given through CLI commands ?

Here are some of the example ‘valid’ commands:

--binfcmd filebinf  --filecmd fileftp  --binfcmd filebinf2 --zip testzipfile2 --stat --type None --mol None 

Here is the Gestioner.py file:

#Gestioner.py #For processing the PService cli commands  from pathlib import Path import os import errno import logging import sys from collections import namedtuple sys.path.insert(0, '..')   supported_cmds = ['binfcmd','zip','stat','type','mol','sync', 'filecmd'] ISSupported = namedtuple('ISSupported', 'result desc')  ### # Base Class for processing Pservice commands ### class CmdGestioner:     def __init__(self):         None      def set_full_command(self, in_cmd=None):         self.full_command = in_cmd      def get_full_command(self):         return self.full_command      def print(self):         print("Output: ", self.full_command)      def is_supported(self, in_command):         pservice_flags = [elem for elem in in_command.split() if str(elem).startswith('--')]          # Compare pservice flags with supported version.         command_not_supported = [x for x in pservice_flags if x.strip('--') not in supported_cmds]         # Compare pservice_flags with supported version.         if (len(command_not_supported) > 0):             commands = ' '.join(str(elem) for elem in command_not_supported)             command_not_supported_strs = 'The following commands are not supported: ' + commands             print (command_not_supported_strs)             return ISSupported(                 result=False,                 desc=command_not_supported_strs)          return ISSupported(                 result=True,                 desc='')   

Test file:

#Gest_test.py  from pathlib import Path import os import errno import logging import sys from Gestioner import CmdGestioner from collections import namedtuple   # Testing application. if __name__== "__main__":   print("Command line parser program.")   cmd = CmdGestioner()   cmd_mtg_str = ''.join(str(elem) for elem in sys.argv[1:])   cmd_args = [str(elem).strip('--') for elem in sys.argv[1:] if str(elem).startswith('--')]    print ("This is the name of the script: ", sys.argv[0])   print ("The arguments are: " , str(sys.argv))   print("The cmd.print() is: ", cmd)   print ("The program arguments are: " , cmd_mtg_str)   print ("Splitting commands into groups by -- from string: ", cmd_mtg_str.strip())   flags = cmd_mtg_str.split('--')   for x in flags:       print(x)   print ('Main commands i.e. those that start with -- ', str(cmd_args))    print('finished')  

Thanks for any suggestions/guidance to work my way in the scripts.

Initial state of checkboxes for basic list filtering

I’m developing a web application which features a list of items. The list can be filtered by type, and the user can choose to view one or more types at once. Let’s say the types are Red, Green, Blue, and Yellow.

My idea was to use checkboxes, one for each type, so that e.g. when Blue and Yellow is selected, then the list contains the sum of these two. Basic logic.

Checkboxes unselected

Now, the default view is as above: no type is selected. In the app’s logic, this is treated the same as selecting all types – in other words, all items are visible on the list. The user can now click on the type they’re interested in, and the list will only contain that.

Is this an intuitive approach?
Or maybe all the checkboxes should be selected on init instead?
Or perhaps a completely different mechanic should be used in place of checkboxes?

I couldn’t decide and made a list of pros and cons:

  • All checkboxes empty on init
    • 🙂 One click required to filter by one given type
    • 🙁 It doesn’t make much sense that nothing checked means all shown
  • All checkboxes checked on init
    • 🙁 Three clicks required to filter by one given type
    • 🙂 Makes more sense that all checked means all shown

I’m not sure if my reasoning is correct. Looking at shops which let you e.g. select a laptop brand, it’s normal for them to start with all options unchecked. But since my app’s list is rather short and filtering results are immediate, I’m not sure if any of these approaches is better than the other, or maybe I’m missing a better way.

Url query filtering links not working in modern Sharepoint?

In classic SP tacking a url query onto a page containing a list was a handy way of filtering the content:

 page.aspx?FilterField1=<internal field name>&FilterValue1=<value> 

This no longer works in modern. I’ve tried:

  • adding the query to the news.aspx page:/_layouts/15/news.aspx?FilterField1=&FilterValue1=
  • creating a new page with an unfiltered news web part on it and creating a link with the above query added to the url

Has anyone found a way to get this to work? The alternative is to manually create a page with a filtered news web part on it but that doesn’t seem very “modern”.

Url query filtering links not working in modern Sharepoint?

In classic SP tacking a url query onto a page containing a list was a handy way of filtering the content:

 page.aspx?FilterField1=<internal field name>&FilterValue1=<value> 

This no longer works in modern. I’ve tried:

  • adding the query to the news.aspx page:/_layouts/15/news.aspx?FilterField1=&FilterValue1=
  • creating a new page with an unfiltered news web part on it and creating a link with the above query added to the url

Has anyone found a way to get this to work? The alternative is to manually create a page with a filtered news web part on it but that doesn’t seem very “modern”.

Filtering list view based on querystring using jQuery?

Using Sharepoint 2010 Content Editor Web Parts (some links dynamically created) List View Web Part

Ability to add additional software or packages to the system extremely limited (so would prefer answers that do not suggest software upgrades/additional different Web Parts)

Notes using javascript/JQuery and have access to SPServices.

Given the services I have access to, is there a way to filter the List View Web Part based on a querystring?

On-The-Fly Filtering Of Results

I would like to submit a small problem of usability to you.

This is a problem with on-the-fly filtering of results. The constraint is that the user must first see all the results. Then he filters according to the results he needs to see.

https://xwg5qp.axshare.com

  • Home (initial state) On the right side, all results are displayed. On the left side, all filters (toggle buttons) are disabled.

  • Results filtering: pages 1, 2, 3, 4, 5, 6 and 7.

  • Page 7 All results are displayed. These results are also available at Home.

Is this filtering confusing?

Thank you for your help:)

Event listing, filtering events with search

I’m working on UI for an event listing website. I have a dilemma. I want to include filters, without making the user think they have to use the search bar.

I curently have something like this

  1. Event listing when search is not being used: enter image description here

  2. Event listing when search is being used enter image description here

Anyways, the problem is this:

When the user visits the site – the “Today” filter is set as default. There is no “All events” filter button available to the user (too many events to list).

However, when the user uses search – the “All events” filter appears and becomes active.

My logic is – if the user uses search – he is most likely interested in all the instances of the keyword (let’s say the user searches for a band – he most likely wants to know WHEN are they playing and less likely to answer if they are playing “today”).

  1. The problem is, would the user get confused because of the sudden apperiance of the “All events filter”.

  2. The second problem is: if the user is interested in “this month”. So he changes from “all events” to “this month”, and then wants to search for something else – should the search jump again on “all events” or stay on “this month”.