Preventing XSS by filtering data from the server to the client

Before you immediately comment “you can’t trust the client!”, please read the whole question.

I’ve been reading about how to prevent XSS attacks lately, and everything I’ve found says that the server should sanitize the data that will be put into the webpage. This would basically look like addToDatabase(filter(userResponse)). Then the client can safely add display anything that it gets from the server.

I was wondering if it would be safe to store the potentially unsafe data in the server, and have the client filter it when it was received, like addHTML(filter(serverResponse)). This would stop the data from being executed client-side, so no XSS would take place. I understand that anyone could simply remove that filter, however all that would do is make themselves vulnerable. Since other clients would filter anything sent to them, a malicious client could could only disable their own filter and mess up themselves. (I’m not talking about SQL injection prevention, that would be obviously have to be server-side)

To summarize: The server doesn’t sanitize, but the clients sanitize whatever they receive.

Would this be safe?

How is browsing from a virtual machine/virtual box preventing fingerprinting or tracking?

is it increasing your internet security in terms of privacy/tracking/fingerprinting, if you are surfing with your web browser in a virtual machine enviroinment (virtual box + vpn)? Instead of surfing from your normal windows operating system…

Or is a virtual machine not helping you in fingerprinting cases? I just want to understand if you can use a virtual machine as a additional privacy tool and if yes, on what aspects would it have an impact (ip address, virus infections, fingerprinting, etc.)?


Preventing CSRF with SameSite=”strict” without degrading user experience?

ASP.NET will soon begin reflecting Google’s decision to default cookies to SameSite="strict" in a defense against CSRF attacks:

Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core

This means that if I own, any logged-in users who are directed to from off-site will consume the content as if they are not logged in, as the browser will refuse to send the forms authentication headers with the request by default.

This is a poor user experience, and I’m tempted to simply specify SameSite="Lax" to ensure that users are not surprised by this behavior.

Is there any way to have my cake and eat it too, in this scenario?

Getting around massive preventing of damage [on hold]

I’m currently running a game where one of the players has the ability to reduce/prevent a ton of damage. I’m looking for ways around this, such as the old school wights that did ability score damage, things like Ray of Enfeeblement that grants a strength penalty, diseases, etc.

Is there something I can search in the compendium, or is there a list somewhere online, that could save me hours of digging through every monster in 4e to find new and interesting ways to damage players other than just dishing out huge amounts of damage?

Server preventing colon character from being used

I have discovered an input field which accepts <img> and <h1> tags. I tried to use the events like onmouseover which is being stripped from the tag.

Example: If the input is <img src="a" onmouseover="alert(1)"> , the response is <img src="a">.

So it is not just for a single event, even an attribute like “onx” is being stripped off. Hence I tried to use the payload:

<img src="javascript:alert(1)"> 

Surprisingly, now the response is <img> which shows that this happens due to the character colon (:). If I use something like

<img src="javascript_alert(1)"> the response is given back the same way.

Is there anyway to bypass this?

Preventing boot from USB on Dell Inspiron 5559

So what I am looking for is a way to prevent anyone from booting from a USB drive on this specific Dell Inspiron 5559 so normally what I would have to do is to set an Admin password in BIOS that would prevent anyone from booting using a USB drive or change BIOS settings without the Admin password but the bad thing is the admin password could be easily bypassed using certain websites with the System Serial that appear in the message asking for the admin password I won’t post links here but you can search on Youtube and see for yourself so apparently that doesn’t work now I have windows 10 installed and I can use Bitlocker to encrypt my HDD and protect my Info but I am also trying to protect the HDD from sabotage ie formatting the HDD (without using external backup Drive) in short I want that if someone wanted to tamper with the laptop they would need to open the laptop casing and take the HDD out (or even the cmos battery if they tried to reset the BIOS settings) and I am OK with that.