Technology Insights

Double Encoding – One Of The Biggest Enemies While Fixing Cross-Site Scripting (XSS)

“You have X amount of Cross-Site Scripting vulnerabilities”. That is a phrase most web developers have heard at least one time, what is a Cross-Site Scripting vulnerability?

OWASP defines Cross-Site Scripting as:

“Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.”

Technology Insights

Redmine: Textile Style Formatting Not Working, Textile Inline Styles Not Working

The Redmine developers turned off Textile inline styles because of a security risk with XSS attacks. I explain below how to turn the inline styles back on if your Redmine server is protected from unauthorized access. I would suggest keeping textile styles off if your Redmine server has public access. The main point of this article is to point out that the styling such as background colors, css, table borders, cell borders, etc. is turned off by default.

If you do decide to turn inline styles back on using the information below then here is a note from the Textile Reference Manual (link):