Attack xss on a value field ignoring the quotation marks

Consider a website that handles the search query like this:

if i try to inject this script, it does not work …

"onerror =" alert (0)

This is probably because the website codes the double quote as & quot. I even tried double coding by coding the double quotation mark % 2522but the website seems to make this as "% 22 onerror% 22alert (0)" and for whatever reason, the % 22 is no longer decoded

Is there a way around this?

python 3.x – How to put list values ​​with single and double quotation marks to the Postgressql selection query

I execute the selection query in the postgresql database and, after retrieving these results, I add them to the list, and then I give this list as input to another postgresql selection query.
But because of the conversion of these values ​​into a list, it converts the values ​​with apostrophe (special character) cats double quotation marks "Cats". when running the second selection query, the value with the double quotation marks is not extracted because the value with the double quotation marks is not present in the database, it is without quotation marks cats.
And there, it gives me the error that this value is not present.

I tried the JSOn dumps method but it does not work because I can not convert a JSON list to tuple and give it as input a postgresql selection query

select_query = "" "select" Unique_Shelf_Names "from" unique_shelf "where category =" Accessory & # 39; " ""
cur.execute (select_query)
count = cur.fetchall ()

query_list = []
for co account:
for c in co:
query_list.append (c)

query_list output: –

query_list = ['parrot', 'dog', "leopard's", 'cat', "zebra's"]

Now this query list is converted to tuple and given as input to another selection query

list2 = tuple (query_list)

query = "" "selects the category" unique_shelf "where" Unique_Shelf_Names "in {}" "" .format (list2)

cur.execute (request)

It's there that it gives me the error "the leopard" does not exist but in the database the leopard exists

I want all query_list values ​​to be double quotation marks so that this error does not occur.

magento2 – Magento 2: save item options in quotation marks (quote_item_option)

I need to add a new option for the article.

Now in quote_item_option j & # 39; have:

{"id": "54", "product": "54", "selected_configurable_option": "", "related_product": "", "options": {"4": ""}, "quantity": "1 "}

But want {"id": "54", "product": "54", "selected_configurable_option": "", "product_relative": "", "options": {"4": "", "new_option": "a_value" }, "quantity": "1"}

I created the following controller:

resultJsonFactory = $ resultJsonFactory;
$ this-> checkoutSession = $ checkoutSession;

/ **
* @return  Magento  Framework  Controller  Result  Json
* /
public function execute ()
$ a = 3;
$ itemId = (int) $ this-> getRequest () -> getParam (& # 39; item_id & # 39;);
$ orderNoteEnabledValue = (string) $ this-> getRequest () -> getParam (& # 39; new_option & # 39;);

if ($ itemId && $ newOptionValue) {
$ quote = $ this-> checkoutSession-> getQuote ();
/ ** @var  Magento  Quote  Model  Quote  Item $ item * /
foreach ($ this-> checkoutSession-> getQuote () -> getItems () as $ item) {
if ((int) $ item-> getItemId ()! == $ itemId) {
Carry on;
$ buyRequest = $ item-> getBuyRequest ();

$ options = $ buyRequest-> getData (& # 39; options);
if (! $ options) {
$ options = [];
$ options['new_option'] = $ newOptionValue;
$ buyRequest-> setData (& # 39; options, $ options);

$ quote-> updateItem ($ itemId, $ buyRequest);
$ quote-> save ();


return $ this-> resultJsonFactory-> create () -> setData (['message' => 'Error'])

I've debugged, data getts script (option value) successfully, also modified, but not save the option with the new field to the table.

What is the problem or my mistake?

Thanks for all halp and advise 🙂

web application – XSS possible in the value field of the input tag when double quotation marks are filtered?

Is it possible to get XSS in the value field of the Input tag when the application is filtering the quotation marks?

the entry of the request goes to the inside of the value field, so I tried to close it " and give a load like "accesskey =" X "onclick =" alert (1) " but " is filtered.

So, any possible XSS vector in this scenario?

Make typography automatically add quotation marks in MS Word 365

In Word (Microsoft Word for Office 365 in my case), typography can be predefined in document templates, so that formatting can be defined by highlighting text and clicking on the typography (Home tab -> typefaces box).

One thing I do not find, without any luck thanks to the search on the Web and the MS help site, is how to create a typography not only to add formatting (color, font, size, lining, indentation …), but how to make a typography add symbols.

Specifically, I would like quotation marks "text", apostrophes & # 39; text & # 39; etc. added around my highlighting (before and after). For example. if I highlight the words To be or not to be in this sentence:

The famous line To be or not to be is Hamlet

and click on the typography. I would like the result to become automatically:

The famous line "To be or not to be" is from Hamlet

Is it possible?

xargs: single quotation mark without equivalent; By default, quotation marks are special for xargs unless you use the -0 option

Some of your file names appear to have single quotation marks (quotation marks).

Fortunately, find and xargs have ways around that. findof -print0 option with xargsof -0 option produces and consumes a list of filenames separated by the NO (000) character. Linux file names may contain ANY character, EXCEPT NO and /.

So what you really want is:

    find ~ -type f -print0 | xargs -0 --no-run-if-empty wc -w

Lily the man finds; the man xargs.

android – the string returned by assessmentJavascript getElementById is returned with slashes and quotation marks

I have a problem with a chain returned from a évaluerJavascript and getElementById where the returned string is formatted with slashes and quotation marks.

For example, I have an item in my web view with the id of user_id_firebase so

So in my getElementById I get the innerHTML and what should be returned and loaded on my fire base is active | 12345

What I receive is this

"" active | 20321 "

Finally, I divide the chain with | and separating these values ​​but the first html the string comes back odd with slashes and quotation marks.

Can any one explain why this is happening?

webView.evaluateJavascript (
"(function () {return (document.getElementById ('user_id_firebase'). innerHTML);}) ();",
new ValueCallback() {
public void onReceiveValue (String html) {
String currentString = html;
Chain[] separated = currentString.split ("|");
// write a message to the database
FirebaseDatabase database = FirebaseDatabase.getInstance ();
DatabaseReference myRef = database.getReference ("message");

myRef.setValue (html);

Place quotation marks at the beginning and end of each number

I have to put quotation marks at the beginning and end of each number.


I have the following sequence:

$ seq = "123,456,789";

the result should stay like this

$ seq = "123", "456," & "789"; & nbsp; & nbsp; & nbsp; & nbsp; & nbsp; & nbsp; & nbsp; & nbsp; & nbsp; & nbsp; & nbsp;

8 – How to prevent views from replacing single quotes with double quotation marks in the HTML output?

I'm using the option of rewriting a field of view to generate HTML. A tag has a data attribute, which should contain a table for later use in JavaScript with JSON.parse ():


For JSON.parse () it is necessary to place the fields of the table in double quoteso I have to use Simple quotation marks for the closing of the HTML attribute. The output should look like this:


But somewhere in the process, Drupal replaces single quotation marks with double quotes, changing the result to:


Which is apparently poorly formatted.

My question is: why does this happen, where is it happening, and is there a clean workaround?

I know it would be a much simpler approach to write a custom view field. But again, it looks a bit like an excess.