We do not have the event markup feature in our HTML code, but Google is generating the event markup card at the top of the email anyway sometimes and pulling in the company's address (wrong address for this use case). We'd like to disable this feature, but we do not know how given we do not have the code in the email to begin with. Is there also any data on how often this can happen?
Related
I'm looking to add [RentalCarReservation] (https://schema.org/RentalCarReservation) to the consumer-side confirmation emails sent for a large, multinational rental agency but am running into two key questions:
Is there a corresponding Google Now tag that will correctly handle and parse vehicle rentals in particular at this time, or should we use a more generic order markup scheme until such time as there is support for this? It should be noted that none of our competitors seem to be using microdata at all, so there's no industry trend.
As asked earlier on this tag, what is the state of JSON-LD adoption for Google Now tags? By its nature the RentalCarReservation schema requires JSON rather than RDFa or similar.
RentalCarReservation is currently supported by Gmail markup, you can find more info and JSON/microdata examples here:
https://developers.google.com/gmail/markup/reference/rental-car#basic_reservation_confirmation
JSON is supported, as stated in the following link:
https://developers.google.com/gmail/markup/reference/formats/json-ld
In order to be enabled to send RentalCarReservation to your Gmail customers, you will have to register and provide a sample email, more info here:
https://developers.google.com/gmail/markup/registering-with-google?hl=en
I have CMS system where I am using CK Editor to enter data. Now if user types in <script>alert('This is a bad script, data');</script> then CKEditor does the fair job and encodes it correctly and passes <script>alert('This is a bad script, data')</script> to server.
But if user goes into browser developer tools (using Inspect element) and adds this inside it as shown in the below screen shot then this is when all the trouble starts. Now after retrieving back from DB when this is displayed in Browser it presents alert box.
So far I have tried many different things one them is
Encode the contents using AntiXssEncoder [HttpUtility.HtmlEncode(Contents)] and then store it in database and when displaying back in browser decode it and display it using MvcHtmlString.Create [MvcHtmlString.Create(HttpUtility.HtmlDecode(Contents))] or Html.Raw [Html.Raw(Contents)] as you may expect both of them displays JavaScript alert.
I don't want to replace the <script> manually thru code as it is not comprehensive solution (search for "And the encoded state:").
So far I have referred many articles (sorry not listing them all here but just adding few as proof to show I have put sincere efforts before writing this question) but none of them have code which shows the answer. May be there is some easy answer and I am not looking in right direction or may be it is not that simple at all and I may need to use something like Content Security Policy.
ASP.Net MVC Html.Raw with AntiXSS protection
Is there a risk in using #Html.Raw?
http://blog.simontimms.com/2013/01/21/content-security-policy-for-asp-net-mvc/
http://blog.michaelckennedy.net/2012/10/15/understanding-text-encoding-in-asp-net-mvc/
To reproduce what I am saying go to *this url and in the text box type <script>alert('This is a bad script, data');</script> and click the button.
*This link is from Michael Kennedy's blog
It isn't easy and you probably don't want to do this. May I suggest you use a simpler language than HTML for end user formatted input? What about Markdown which (I believe) is used by Stackoverflow. Or one of the existing Wiki or other lightweight markup languages?
If you do allow Html, I would suggest the following:
only support a fixed subset of Html
after the user submits content, parse the Html and filter it against a whitelist of allowed tags and attributes.
be ruthless in filtering and eliminating anything that you aren't sure about.
There are existing tools and libraries that do this. I haven't used it, but I did stumble on http://htmlpurifier.org/. I assume there are many others. Rick Strahl has posted one example for .NET, but I'm not sure if it is complete.
About ten years ago I attempted to write my own whitelist filter. It parsed and normalized the entered Html. Then it removed any elements or attributes that were not on the allowed whitelist. It worked pretty well, but you never know what vulnerabilities you've missed. That project is long dead, but if I had to do it over I would have used an existing simpler markup language rather than Html.
There are so many ways for users to inject nasty stuff into your pages, you have to be fierce to prevent this. Even CSS can be used to inject executable expressions into your page, like:
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
Here is a page with a list of known attacks that will keep you up at night. If you can't filter and prevent all of these, you aren't ready for untrusted users to post formatted content viewable by the public.
Right around the time I was working on my own filter, MySpace (wow I'm old) was hit by an XSS Worm known as Samy. Samy used Style attributes with embedded background Url that had a javascript payload. It is all explained by the author.
Note that your example page says:
This page is meant to accept and display raw HTML by trusted
editors.
The key issue here is trust. If all of your users are trusted (say employees of a web site), then the risk here is lower. However, if you are building a forum or social network or dating site or anything that allows untrusted users to enter formatted content that will be viewable by others, you have a difficult job to sanitize Html.
I managed to resolve this issue using the HtmlSanitizer in NuGet:
https://github.com/mganss/HtmlSanitizer
as recommended by the OWASP Foundation (as good a recommendation as I need):
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job
First, add the NuGet Package:
> Install-Package HtmlSanitizer
Then I created an extension method to simplify things:
using Ganss.XSS;
...
public static string RemoveHtmlXss(this string htmlIn, string baseUrl = null)
{
if (htmlIn == null) return null;
var sanitizer = new HtmlSanitizer();
return sanitizer.Sanitize(htmlIn, baseUrl);
}
I then validate within the controller when the HTML is posted:
var cleanHtml = model.DodgyHtml.RemoveHtmlXss();
AND for completeness, sanitise whenever you present it to the page, especially when using Html.Raw():
<div>#Html.Raw(Model.NotSoSureHtml.RemoveHtmlXss())</div>
I have posted this as, although I worked out the answer, I could not find anything about it in a Google/stackoverflow search. I hope it might help someone in the future.
My C# MVC app generates a link and emails it to the user. In the email the html is simply a link tag with the url used as the href and the link text.
In the email in Outlook the link displays as below:
http://mydomain.com/Foo/Bar?id=6***************
When you hover over the link it shows as
http://mydomain.com/Foo/Bar?id=6523054102058710
The numbers should always show, otherwise the user may be suspicious.
It turns out that the number I was generating was 16 digits, inadvertently the same as a credit/debit card number. This meant that some email clients were hiding the number to protect privacy.
To solve the problem I simply changed the number of digits.
I would like to be able to intercept a hyperlink from an email on BlackBerry.
e.g.
dummy site
I have been able to intercept and identify text in a plain text email using PatternRepository. However, it doesn't seem to work with HTML emails - is this even possible?
I would like to avoid the solution of scanning every incoming email myself, and parsing all the text, but this might be the only option.
Thanks
This is not possible (up to and including BlackBerry 6 afaik). It is not related to the hyperlink concept - it is not possible to use PatternRepository with any type of text within HTML text.
For performance reasons, the BlackBerry designers decided not to implement pattern matching within HTML fields (browser, or email). This is very unfortunate, but it must be dealt with.
In my app, I had the freedom to define the contents of the email. In my case, I ended up including the pattern into the subject of the email - the user can click on the subject to get to my app.
In most other situations, I think the best/only way forward is to intercept each mail as it arrives and parse it looking for the text. If I have to do that in the future, I'll try to update this post with some sample code.
There are various posts on the BlackBerry forums about this issue.
Richard
In my webapp i want to display user emails. But i dont want spam boots to steal my user emails. So have do i automatic create a image displaying there email?
Best regards,
A rails beginner
Creating an image is one way to go, but remember that OCR is getting to be an extremely "cheap" operation and isn't a guarantee that a bot wouldn't analyze all the pictures on your site to see if they contain text that looks like email addresses. There's plenty of techniques to "hide" addresses in plain sight. Write them out in character entity format, intersperse empty tags, uses javascript to decode an encoded form of them and insert into the page after load, etc...