I am trying to embed two URLs in the same clickable text; so after a person clicks on the text, he/she is directed to two webpages (I don't really care if this happens in two windows or two tabs). A command like:
\href{https://projecteuler.net/about;https://en.wikipedia.org/wiki/Project_Euler}{Project Euler}
Is this possible?
That is an interesting quest. It is a good question with HTML alone, not to mention Latex.
Doing this with Javascript for the browser is standard fare. See this post for the simplest case by JS onclick method, or this post, or this post (for the same or other methods).
<p><a href="#" onclick="
window.open('http://google.com');
window.open('http://yahoo.com');
">Click to open Google and Yahoo</a></p>
Javascript is supported by the
hyperref package, according to the long list of accepted methods in the hyperref docs. So it may be possible to do even exactly as shown, with onclick="..." in \href{} (untested). For a demonstration of far more involved JS see this post (with insdljs package). For a possible non-JS approach using 'nested actions' via hyperref's option nextactionraw see this post.
In short, it should be quite possible to use Javascript with hyperref and then you're golden.
There is also an old trick of how to do it with HTML, see first answer in a link above
Click Here
If this still works perhaps it is possible to slip it to hyperref, which may then just do it, without JS. (See an answer in one of the links above for how to define the css class if this is of interest.)
Related
I have been using Platypus & Reportlab for several weeks using Python, and would caveat this by saying that I am definitely a beginner, and my code isn't "good" code, but ...
I tend to work by looking at an example, testing it, and then adapting it to my needs...
With this approach, I managed to get a table of contents to work.
I also wanted to have a Page x of y working, which again, I found code, and after a lot of hassle, managed to get it to work with my Table of Contents, which I thought I then understood more about the applications, but ...
I had experienced links working - or not working separate to the ToCs.
However, when I merged my samples for ToC and Page x of y, I have a wonderful Toc, with links for each topic I wanted - but, the links all go to the top of the document.
I have looked at other examples I have tried, and find some where links using <a href="#MYANCHOR"... and <a name="MYANCHOR"... have the same issue.
I have also added into my main code, a link using the <a href=... but using one of the link destinations that a ToC would use - and this again jumps to the top of the document.
I put all the elements that form the document into a list called e.g. element so I would have code such as element.append(PageBreak()) and then I can print out all the element list to see what is there, and compare it to examples where it doesn't work, and I can see no significant difference.
If I provide an external link to a website (e.g. that excellent stackoverflow.com) those links work, but internal ones don't - which I accept are handled differently, but I hope it indicates where my failures lie!
I would love to understand why the links are so fickle, as I would like to get links to work in a table, and from a drawing, which to my mind should be possible, ... which may just highlight my ignorance - for which I apologise...
Any help would be really appreciated...
Many thanks,
I'm running a typo3 v. 7.6.4
I alredy looked into existing plugins an even how to write my own... but i can't find a solution.
My goal is pretty simple:
Show a simple disclaimer page whenever the user clicks a link to any external page.
Is there any easy ways to accomplish this?
The easiest way would in fact be to add a on('click') eventHandler on all links. This would be additional JavaScript and work with all existing content. Figuring out if a link refers to an external site should be easy (exclude relative urls and match absolute urls against your baseUrl).
However, if this is a legal requirement, you should decide if JavaScript works for you, because with disabled JS the disclaimer would not be triggered.
I have CMS system where I am using CK Editor to enter data. Now if user types in <script>alert('This is a bad script, data');</script> then CKEditor does the fair job and encodes it correctly and passes <script>alert('This is a bad script, data')</script> to server.
But if user goes into browser developer tools (using Inspect element) and adds this inside it as shown in the below screen shot then this is when all the trouble starts. Now after retrieving back from DB when this is displayed in Browser it presents alert box.
So far I have tried many different things one them is
Encode the contents using AntiXssEncoder [HttpUtility.HtmlEncode(Contents)] and then store it in database and when displaying back in browser decode it and display it using MvcHtmlString.Create [MvcHtmlString.Create(HttpUtility.HtmlDecode(Contents))] or Html.Raw [Html.Raw(Contents)] as you may expect both of them displays JavaScript alert.
I don't want to replace the <script> manually thru code as it is not comprehensive solution (search for "And the encoded state:").
So far I have referred many articles (sorry not listing them all here but just adding few as proof to show I have put sincere efforts before writing this question) but none of them have code which shows the answer. May be there is some easy answer and I am not looking in right direction or may be it is not that simple at all and I may need to use something like Content Security Policy.
ASP.Net MVC Html.Raw with AntiXSS protection
Is there a risk in using #Html.Raw?
http://blog.simontimms.com/2013/01/21/content-security-policy-for-asp-net-mvc/
http://blog.michaelckennedy.net/2012/10/15/understanding-text-encoding-in-asp-net-mvc/
To reproduce what I am saying go to *this url and in the text box type <script>alert('This is a bad script, data');</script> and click the button.
*This link is from Michael Kennedy's blog
It isn't easy and you probably don't want to do this. May I suggest you use a simpler language than HTML for end user formatted input? What about Markdown which (I believe) is used by Stackoverflow. Or one of the existing Wiki or other lightweight markup languages?
If you do allow Html, I would suggest the following:
only support a fixed subset of Html
after the user submits content, parse the Html and filter it against a whitelist of allowed tags and attributes.
be ruthless in filtering and eliminating anything that you aren't sure about.
There are existing tools and libraries that do this. I haven't used it, but I did stumble on http://htmlpurifier.org/. I assume there are many others. Rick Strahl has posted one example for .NET, but I'm not sure if it is complete.
About ten years ago I attempted to write my own whitelist filter. It parsed and normalized the entered Html. Then it removed any elements or attributes that were not on the allowed whitelist. It worked pretty well, but you never know what vulnerabilities you've missed. That project is long dead, but if I had to do it over I would have used an existing simpler markup language rather than Html.
There are so many ways for users to inject nasty stuff into your pages, you have to be fierce to prevent this. Even CSS can be used to inject executable expressions into your page, like:
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
Here is a page with a list of known attacks that will keep you up at night. If you can't filter and prevent all of these, you aren't ready for untrusted users to post formatted content viewable by the public.
Right around the time I was working on my own filter, MySpace (wow I'm old) was hit by an XSS Worm known as Samy. Samy used Style attributes with embedded background Url that had a javascript payload. It is all explained by the author.
Note that your example page says:
This page is meant to accept and display raw HTML by trusted
editors.
The key issue here is trust. If all of your users are trusted (say employees of a web site), then the risk here is lower. However, if you are building a forum or social network or dating site or anything that allows untrusted users to enter formatted content that will be viewable by others, you have a difficult job to sanitize Html.
I managed to resolve this issue using the HtmlSanitizer in NuGet:
https://github.com/mganss/HtmlSanitizer
as recommended by the OWASP Foundation (as good a recommendation as I need):
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job
First, add the NuGet Package:
> Install-Package HtmlSanitizer
Then I created an extension method to simplify things:
using Ganss.XSS;
...
public static string RemoveHtmlXss(this string htmlIn, string baseUrl = null)
{
if (htmlIn == null) return null;
var sanitizer = new HtmlSanitizer();
return sanitizer.Sanitize(htmlIn, baseUrl);
}
I then validate within the controller when the HTML is posted:
var cleanHtml = model.DodgyHtml.RemoveHtmlXss();
AND for completeness, sanitise whenever you present it to the page, especially when using Html.Raw():
<div>#Html.Raw(Model.NotSoSureHtml.RemoveHtmlXss())</div>
I am making a simple CMS to use in my own blog and I have been using the following code to display articles.
xmlhttp.onreadystatechange=function(){
if (xmlhttp.readyState==4 && xmlhttp.status==200){
document.getElementById("maincontent").innerHTML=xmlhttp.responseText;
}
}
What it does is it sends a request to the database and gets the content associated with the article that was clicked on and writes it to the main viewing area with ".innerHTML".
Thus I don't have actual links to other articles. I know that I can use PHP to output HTML so that it forms a link like :
<a href=getcontent.php?q=article+title>Article Title</a>
But being slightly OCD I wanted my output to be as neat as possible. Although search engine visibility is not a concern for my personal blog I intend to adapt this to a few other sites which have search engine optimization as a priority.
From what I understand, basically search engine robots follow links to index the web sites.
My question is:
Does this practice have any negative implications for search engine visibility? Also; are there other reasons for preferring one approach over the other as I see that almost every site uses the 'link' method.
The link you've written will cause a page reload. In order to leverage the standard AJAX stuff you've got at the top, you need to write the links as something along the lines of
Article Title
This assumes you have a javascript function called ajaxGet that takes an argument of the identifier for the article you're searching for.
If you were to write your entire site that way, search engines wouldn't be able to crawl you at all since they don't execute javascript. Therefore they can't get to anything off the front page. Also, even if they could follow the links, they'd have no way of referencing the page they got to since it doesn't have a unique URL. This is also annoying for users, since they can't get a link to an exact story to bookmark, send to a friend etc.
We're building a user generated content site where we want to allow users to be able to embed things like videos, slideshares, etc... Can anyone recommend a generally accepted list of tags / attributes to allow in rails sanitize that will give us pretty good security, while still allowing a good amount of the embedable content / html formatting?
As long as is turned off, you should be able to allow objects. You might even be able to to define the actual acceptable parameters of object tags, so that you only allow a whitelist, and abitrary objects cannot be included.
However, it may be better to provide some UI support for embedding. For example, I prompt the user for a YouTube URL and then derive the embed code for the video from that.
Several benefits:
- the default YouTube code is not standards compliant so I can construct my own Object code
- I have complete control over the way embedded elements are included in the output page
Honestly saying allowing users to use WYSIWYG Html editors might sound good, but in practice it just doesn't work well for both users and developers. The reasons are:
Still too different behavior in different browsers.
Whitelist allows to secure site, but users will end up calling and asking to allow another parameter for OBJECT tag or similar. Blacklists are just not secure.
Not many users know what HTML tag is.
For users it is hard to format text (how can you tell them to use HEADER instead of BOLD+FONT-SIZE).
Generally it is pretty painful and you cannot really change the site design if needed because of users did not properly use HTML.
If I would be doing CMS-like system now, I would probably go with semantic markup.
Most users, get used to it quickly and it is just plain text (as here at SO).
Also YOU can generate proper HTML and support needed tags.
For example if you need to embed picture you might write something like:
My Face:image-http://here.there/bla.gif
Which would generate HTML for you like this:
<a class='image-link' title='My Face' href='http://here.there/bla.gif'>
<img alt='My Face' src='http://here.there/bla.gif' />
</a>
There are plenty of markup languages around, so just pick the one is more appropriate to you and add your own modifications.
For example, GitHub uses modified markdown and the code to parse it is just a couple of lines.
One disadvantage is that users need to learn the language and it is NOT WYSIWYG.
Regards,
Dmitriy.
There's a great project for this. It even has embed-analysis to only allow youtube embeds, for example
https://github.com/rgrove/sanitize