Angular expression inside of an inline html UI Bootsrap tooltip - angular-ui-bootstrap

I can't figure out the proper method to render angular expressions inside of uib-tooltip-html. The example used in the documentation: inline string
doesn't work for me in IE, Chrome or Firefox. Can anyone point me in the right direction? Thanks.

Here's an excerpt from the docs
uib-popover-html - Takes an expression that evaluates to an HTML string. Note that this HTML is not compiled. If compilation is required, please use the uib-popover-template attribute option instead. The user is responsible for ensuring the content is safe to put into the DOM!
The interesting part is
The user is responsible for ensuring the content is safe to put into the DOM!
Which basically means you should use the $sce service to sanitize you HTML and pass it as an expression at your controller
$scope.dynamicTooltipText = "MY SUPER DYNAMIC TEXT"
$scope.htmlPopover = $sce.trustAsHtml('static. ' + $scope.dynamicTooltipText + ' . <b>bold.</b>');
and then pass $htmlPopover to your uib-popover-html directive
<button uib-popover-html="htmlPopover" popover-placement="bottom" class="btn btn-default">
HTML Popover
</button>
Demo plunker

Related

Display raw text from custom field in Drupal

I'm trying to render a Block's Field as Plain Text as I need it used as part of HTML, I've tried using |RAW however I read it was unstable + it didn't work haha!
This is my existing HTML minified
Read More
However I would like to make it more useable
Read More
This would mean that when a user modifies the DrupalBlock HEX code it would change the color of the box. However the issues is when it's printed on the page it's looking like this
<div data-quickedit-field-id="#" class="field field--name-field-color field--type-string field--label-hidden field--item quickedit-field">FFFFFF</div>
the only thing I would like printed is "FFFFFF" with no div's
-
Here is my question: How do I display my Field_color as plain text when it prints?
You can use |raw : {{ content.field_color|raw }}.
If you need more information please ask.
I suggest you do a dump or kint of your content.field_color variable. You might be able to get some more information on it and get the answer!
Anyway, we have something similar in our project and the way we do it is by using a .getString() method.
{% set image_align = content.field_image_align['#items'][0].getString() %}
<div class="{{ image_align }}">
Our field is a list of values so you'll have to look for another array item to call the .getString() method on.

ASP.NET MVC XSS protection

According to OWASP XSS page, one needs to use different XSS protection techniques for different contexts. However, in ASP.NET MVC Razor views, we only have the # sign to escape data in the context of HTML element inner content. What about HTML attributes, CSS, javascript contexts and others?
HTML element content
This is safe and will work as expected:
<div>#data</data>
HTML element attribute
This is not safe and can be exploited:
<div style="background: #color"></div>
JavaScript
While this is not safe:
<script>
var value = #value;
</script>
Safe solution is:
<script>
var value = #Json.Encode(value);
</script>
CSS
This is not safe and can be exploited:
<style>
.box { background : #color; }
</style>
A great thing about razor is that it does all the HTML encoding by default. Unless you use #Html.Raw(), it is pretty difficult to make your page vulnerable. You generally have to explicitly make variables render as html.
You also have Html.Encode() if you need it. There is also HttpUtility.JavaScriptStringEncode()
Regarding the updated vulnerable code:
#{var js = "alert(1);";}
<script>var value = #js</script>
I think you would be violating rule 0 with this code. You are inserting arbitrary strings into a script tag, and expecting it not to be executed. I actually get a syntax error (warning) with your example, but it will still run. If you wrapped it in quotes, you would be safe.
#{var js = "\"alert(1);";}
<script>var value = "#js"; alert(value);</script>
output:
"alert(1);
Notice that the quote that I put in the string gets escaped to ", making me unable to break out of the string, so I cannot inject js.
I'd be interested to see if someone has a way of sanitizing this without putting it in quotes, but I am skeptical.
update 2:
Dealing with CSS
The examples you give are not about escaping strings, it is more about inserting untrusted CSS into your page. To do that, you will need something that can parse CSS. For example, it is not that you want the value to be encoded, you just want it not to include the dangerous stuff like url(javascript:), behavior, binding, etc. You'll need a CSS filtering tool for that.
HTML attributes
you are safe if you do this:
<div data-color="#color"></div>
Since razor encodes quotes, you won't be able to terminate the string early. That's as simple as it is to prevent XSS (barring some unknown vulnerability in razor). Your Json.Encode() uses the same idea.
BUT, you are doing somehting risky if you do this:
<div #attribute></div>
Again, it's not that you need an escaped string here, you want something that filters your attributes on any dangerous content. The fact is, that doing things this way is really messy, and I would advise against it. It is bad design because it is screwing up your separation of concerns and making it hard to secure your app from XSS. What you should do instead is add CSS classes if you want to change the style. If you need to set an attribute based on a variable in razor, use something else rather than injecting it into your HTML and hoping to filter it.
ex:
#{
var disabled = isDivDisabled ? "disabled" : "";
}
<div #disabled><div>

How to display javascript value on HTML

in JSF, I were using: rich:popupPanel to display some information that calculated by Javascript. Normally I often use h:outputText to diplay value but I don't know how to diplay javascript value on HTML. Can I display it with h:outputText ? Thanks
Ignore JSF and just use the normal JavaScript/HTML DOM means. JSF is for them merely a HTML code generator. JS has no knowledge about the JSF source code, all it has access to is its generated HTML source code (exactly the one as you see by rightclick and View Source in the webbrowser).
Imagine that JSF has generated the following HTML, e.g. by <h:outputText id="foo"> or just hardcoding it as-is (you can just write plain HTML in a JSF page, do you know?):
<span id="foo"></span>
Then you can use JS as follows to fill its node value with a JS variable:
var foo = "some value";
document.getElementById("foo").innerHTML = foo;
This will ultimately appear dynamically as follows in the HTML DOM which get also visually reflected in UI:
<span id="foo">some value</span>

Embedded HTML code being displayed rather than HTML being rendered

I am trying to use the calendar gem in my project (https://github.com/elevation/event_calendar). But when I open the calendar page, it renders the page by showing the html code of the calendar rather than rendering the html. Basically the source for the page generate is like
<div class="ec-calendar">
instead of
.
Can anyone let me know what is going on and how to resolve it.
I assume you are using Rails 3? As a security measure against XSS (Cross Site Scripting), Rails 3 renders html inside of strings as text. If you know the html in your string is safe, call html_safe on it, like
'<div class="ec-calendar">'.html_safe
or
raw '<div class="ec-calendar">'
html_safe I believe, is preferred over raw. Not sure what's different behind the scenes, if anything.

Link in input text field

HI All,
I know this is bit strange question, but please suggest.
I want to create a link on website url content in input type"text" field not any other html tag,Is it possible and if yes how.
Regards & Thanks
Amit
I don't know whether I understood your question correctly or not. Based on my understanding I gave the answer. Feel free to raise your question. Nothing is impossible.
</input>
It displays a text box. You can enter any data into it. If you press enter key then it forwards the page to Google.com
You can use SPAN instead of INPUT. This also serve the same purpose.
<a href="http://www.google.com" ><span style="border:1px solid blue;" >Link</span></a>
This is unfortunately not possible in the way you've asked it in HTML 4 or below. Even with HTML5 which has several new INPUT TYPEs, including URL, it only does validation and has some other useful functions, but won't give you want you want.
You might look for some jQuery plugins that can help you do this, most use the same principals behind Rich Text or other online/web-based HTML WYSIWYG editors. I've had trouble locating them myself.
These 3 situations (that I can think of right now) are pretty much what you will face natively with HTML4 or below, as text in an actual HTML4 INPUT textbox is pure text. It is not html and therefore NOT clickable. Here are some variations:
The INPUT tag's VALUE attribute, also referenced as the corresponding DOM object's "value" property (which is basically what you've been doing, and the most you can hope for, if you decide that you MUST have the text that's ACTUALLY inside the textbox (because the text inside the textbox is the VALUE attribute, as I have it with "http://yahoo.com" in this example):
<input id="myTxtbox" type="text" value="http://yahoo.com">
where the INPUT's VALUE = "http://yahoo.com", which you can retrieve with:
in pure javascript:
document.getElementById("myTxtbox").value
in jQuery:
$("myTxtBox").val()
When your link/url is the text in between the and , i.e. the text/innerText of the textbox. This is useless for your question/scenario since it's not clickable, and more importantly NOT INSIDE the textbox. However, someone might want to use this to retrieve any text that you may be using as a label (if you're not using the <label> tag itself already that is):
<input id="myTxtbox" type="text">
http://yahoo.com
</input>
The textbox's text/innerText is NOT an attribute here, only a DOM object property, but can still be retrieved:
pure javascript:
document.getElementById("myTxtbox").innerText
jQuery:
$("myTxtBox").text() -- you would use this to capure any text that you may be using as a label (if you're not using the tag).
The result being: http://yahoo.com
When your link/url is the form of an ANCHOR () with an HREF to your url (and visible link text) in between the and , i.e. the innerHTML of the textbox. This is getting a bit closer to what you want, as the link will appear as, and function as an actual link. However, it will NOT be inside of the textbox. It will be along side it as in example #2. Again, as stated in example #1, you CANNOT have actual working HTML, and therefore a working 'link' inside of a textbox:
<input id="myTxtbox" type="text">
<a href="http://yahoo.com">
http://yahoo.com
</a>
</input>
Once again, similarly to example #2, the textbox's innerHTML is NOT an attribute here, only a DOM object property, but can still be retrieved:
pure javascript:
document.getElementById("myTxtbox").innerHTML
jQuery:
$("myTxtBox").html()
The result being: http://yahoo.com
You could simply do this :
<input type=text value="link" readonly>
So whenever somebody clicks the textbox, it works as a link, and since it's read only, there wont be any text input/change.
Be careful tho, for it wont look like a regular link and might cause confusion, or may be misinterpreted as a normal textbox.
This is how I did it with JavaScript and JQuery. This wraps the entire text field in a hyperlink, so essentially the entire text field is click-able, which may not be the functionality you are looking for. It worked for my purposes though.
The reason I didn't just use a $(nameTextField).click(function(){...}) structure is because the text field I'm using has the disabled attribute set, so click functions aren't fired. That's why I had to wrap the text field in a hyperlink.
// Make person name a hyperlink to page in new tab
var nameLink = "/exampleUrl/?initStudentId=$" + studentId;
$("#studentNameLink").replaceWith($("#studentNameLink").html()); // Unwrap any previously wrapped text fields
$(nameTextField).wrap("<a id='studentNameLink' target='_blank' href='" + nameLink + "'>"); // Wrap text field in anchor
$(nameTextField).css('color', '#326699'); // Make text blue
$(nameTextField).val(studentName); // Set text field value
Half the people here missunderstood it. The OP would like to have the content/value of the input fields to be hyperlinks instantly and NOT the fields themselves.
It is doable... although it's not an input field but the appearance acts like such one.
Use the following: contenteditable=true
HTML
<div contenteditable=true>
<a id=lnk style=-moz-appearance:textfield href=http://www.google.com>http://www.google.com</a>
</div>
or optionally -webkit-appearance ..depends
JavaScript
var lnk=document.getElementById('lnk');
lnk.addEventListener('click',()=>{
window.location.href = lnk.getAttribute('href');
});
http://jsfiddle.net/Dezain/jm9mzrzp/
You want someone clicking a textbox to actually be treated as a link click?
Sounds malicious to me but you could bind the focus event via javascript to a window.redirect().
I don't know if I get the question right. As I've understood you want to be able to type in a ...-tag into an input-field. No other tags should be allowed. You can achieve this by using PHP for example:
<!-- HTML-Code -->
<input type="text" name="link" />
// PHP-Code
$link = strip_tags($_POST['link'], 'a'); // Remove all other tags than the <a>-Tag...
Is that what you mean?
Yes, it is possible, but it's not that simple. You need to create div, or other tag you prefer, that will be always floating over your input, using CSS positions, and create anchor inside it.
For example, virtual keyboard img is embedded into input field that way on russian Google page (http://www.google.ru/)
Because of browser-compatibility it's not a simple task.
EDIT: Understood your question a little more. You still need first part of the answer, and you will need to handle keypress event inside your input. When symbol is entered you will need to update your floating div.
So now task is difficult even more. Maybe you should revise your model and not the code.

Resources