How do you prevent HTML special character coding from displaying on a website?

An article in the Wall Street Journal (wsj.com) displays HTML special character code instead of the actual character, the greater-than sign. Thus, instead of displaying >, the article displays >. This occurs (for me, at least) on Chrome, Firefox, and Safari (all latest versions with cache cleared).

My (limited) understanding is that websites should have the following code in the header:

<meta http-equiv="content-type" content="text/html;charset=utf-8" /> [α] 

The wsj.com site has this code in the header: <meta charset="UTF-8">. Is this the cause of the problem? In other words, if the WSJ site had <meta http-equiv="content-type" content="text/html;charset=utf-8" /> in the header, would we see > instead of &gt;?

The Wall Street Journal article is:

  • Stern, Joanna. "iOS 14 Review: Your iPhone Will Look Completely Different Now, if You Want." Wall Street Journal (16 September 2020).

The article is probably behind a firewall, so here is an image of the sentence as it appears in the article:

sentence in WSJ article displaying HTML special character code

TIA,

Mark

Footnote
α. Kyrnin, Jennifer. "How to Use Special Characters in HTML." Lifewire (20 February 2020).

Porting wordpress to html

I've got a website that I've got set up on wordpress currently for a customer, and I'm not really happy with the speed of the site.

I was able to get the wordpress site up, but my html skills are probably beginner to intermediate. I'm currently in a full stack html bootcamp, so that should help somewhat. As part of my learning, I figured I would try to recreate that website in HTML to see if it would be any faster. That's created some general design questions, though:

1) WordPress has a…

Porting wordpress to html

How to create a html file offline with app cache

We have an online html file that is accessible through the browser, we want this to be available offline and looking in to it the best thing would be using the App Cache with a manifest file.

I believe i have done all the steps correctly but it still doesn’t preload all the files for the html. Here is what i have done:

1. Updated the html tag to read

html manifest="location of manifest file"

2. Created a manifest file listing the individual files

CACHE MANIFEST

1360_VT_04data60_VT_03.js

1360_VT_04data60_VT_03.swf

1360_VT_04data60_VT_03.xml

1360_VT_04data60_VT_03_core.xml

etc….

3. Edited the .htaccess file with

AddType text/cache-manifest .manifest ExpiresByType application/x-web-app-manifest+json "access plus 1 year" ExpiresByType text/cache-manifest "access plus 1 year"

Any ideas why this is not working?

How to send SQL or HTML data over HTTP without triggering WAF rules?

I’m working on securing an application that receives SQL and HTML-like information that is actually proprietry formulas in some cases, and parts of XML documents in other cases.

So the WAF thinks some HTTP requests are SQL or HTML injection attacks while they actually aren’t.

So how can I send these formulas and XML informaiton without triggering those WAF rules? I tried encoding the data but that didn’t work.

To all html & css lovers. We made this UI Library for you :)

We announced Frontendor.com HTML blocks & templates library last days after we focused on three essentials gaols:

✦ Neat code, easy to customize
✦ Separate blocks, easy to integrate
✦ Create landing pages by COPY-PASTE.

This way, we can build a new landing page every time just by copying the HTML & CSS from our library.

We would love to hear your very honest feedback and suggestion. Thank you.

PS: If you liked Frontendor and want to support us. You can grab your deal with…

To all html & css lovers. We made this UI Library for you :)

Is there a potential XSS in this html action attribute?

I’m working on a website and I noticed that if I go to the following URL: website.com/page?alert() this message is reflected in the action form. I tried to close the action attribute using double quotes in order to try a classic like " onload="alert(1)" but double quotes are URLencoded if i read the source code. Do you have some suggestion? Or is just a rabbit hole? Thanks

 <form method="post" action="./page?alert()" id="cn"> <div class="n"> 

Switch properly from HTML website to WordPress without hurting Google rankings

My question is about specific technicalities of the switch from HTML website to WordPress. I looked through similar questions but my question still remains.

I think my situation is pretty standard.

I’m about to switch my current HTML website to WordPress. My website has been up since 2006.

Main details of the transition:

-My current site is in the /public folder

-Most pages have .php extension

-The WordPress folder is /clickandbuilds/mywebsite (WordPress.org, hosted by 1&1)

-I’ll also need to do 301 redirects for all .php pages to the WP pages

I guess my main question is the following:

Is it safe to just switch my domain from the /public folder to the WordPress folder once everything is ready? I assume it’s a standard procedure – but still wanted to get a second opinion.

Thanks, Leo

Attacking through a malicious HTML file apart from XSS through Javascript

I recently came across a behavior in a web application where the application (through the use of the header ‘Content-Disposition: attachment’) offers to download an HTML file instead of allowing it to get parsed by the browser. Interestingly, the GET requests to the URL that lets you download the HTML page passes the absolute path of the HTML file that will be downloaded – starting all the way from /usr/local....<snip>/public/mypage.html . If an attacker has the privilege to upload an HTML file to this location (public), apart from an XSS attack, what else can he/she do on the machine of a victim who downloads and open the HTML file crafted by the attacker.

I am aware of the XSS attacks , that one can do by injecting some malicious Javascript in the HTML file. Would like to know what else an attacker can get done outside of Javascript XSS attacks.