When I use url helper to generate url for route with query params and then add that url to link href, validator warns me, that there is unescaped & in attribute:
▲
I tried to search but still I'm not sure who is responsible for escaping that.
Router generates url but that might be used anywhere, not only in html attribute, so it correctly does no escaping in his case.
Url helper does not change anything in that url but it is meand for use in html so it might done here
View template - there url is put inside href attribute, so it might be here too
I couldn't find any clue how to decide this and if fill an issue with zf2 about this.
EDIT: html/php code from paginator
<<
generates html
<<
and from what I found it should be
<<
I would argue that the current behavior (not HTML entity encoding) is correct and it is up to the developer to encode HTML entities, when appropriate.
For instance you may want to use the view helper inside a <script> tag, where the HTML entities would be uncalled for.
Related
I am working on a Rails application whose HAML templates frequently make use of a routine called sanitize. I have deduced from context that this routine sanitizes user-controlled HTML. Example:
# views/feed_items/_about.html.haml
%h3 Summary:
.description
= sanitize #feed_item.description
I want to make this routine add 'rel=nofollow' to all outbound links, in addition to what it's already doing. What is the most straightforward way to do that?
N.B. I am not having any luck finding the definition of this method, or the official configuration knobs for it. The vendor directory has two different HTML sanitizer gems in it and I can't even figure out which one is being used. This is a large, complicated web application that I did not write, and I barely understand Ruby, let alone all of Rails' extensions to it. Please assume I do not know any of the things that you think are obvious.
The sanitizer will strip out the rel tags if they exist.
I ran into a similar issue and added an additional helper method - clean_links to the ApplicationHelper module, and called it after sanitizing the content.
# application_helper.rb
def clean_links html
html.gsub!(/\\2')
html.html_safe
end
This method looks for all <a> tags, and adds rel="nofollow". The html_safe method is necessary or else the HTML will be displayed as a string (it's already been sanitized).
This solution treats all links equally, so if you only want this for links pointing outside the domain, you'll have to update the REGEX accordingly.
In your view: <%= clean_links sanitize(#something) %>
So, first the content is sanitized, then you add the rel="nofollow" tag before displaying the link.
Actually there's a built-in way:
sanitize "your input", scrubber: Loofah::Scrubbers::NoFollow.new
Assuming no tags are allowed in the user input and we want to sanitize user input before storing it in the database, in Rails, we have the options of using sanitize (whitelist an empty set of tags) and strip_tags.
Which is better against XSS attacks? If something else is even better, what is that? And why is it better?
As of Rails 3 and the fatty beatdown the Rails core dev team took when they made Rails unsafe by default, all strings are now tagged as either safe or unsafe with "unsafe" strings being the default. You only need to think about explicitly managing the "safeness" of strings in Rails when you're writing helpers that output HTML into your template.
Escaping vs Sanitizing:
In this context, escaping means replacing some of the string characters with an HTML escape sequence that will remove the special meaning from the text and cause it render as regular text. Sanitizing on the other hand, means validating the HTML content to ensure only good HTML tags and attributes are used. Note that sanitizing is inherently less secure than escaping because of this and should only be used where rendered content must contain HTML markup. An example would be a WYSIWYG HTML editor on a textarea that manages code that is later rendered on a page.
Sanitize encodes all tags and strips all attributes (not specifically allowed which is all in your case) from the html string passed to it. It also strips href and src tags with invalid protocols to prevent any abuse of js attributes. Strip_tags on the other hand will strip all supplied tags including comments which sounds like exactly what you want. As long as you're whitelisting params and adding them to your DB properly escaped such as:
Title.where(author = ?, author_id)
and not blindly inserting user input into your db I would be comfortable with how you're setup.
In ASP.NET MVC, for linking standard pages (the ones that does not need special parameters or query string), is there any situation where I should prefer Html.ActionLink() to a standard Link tag?
Thanks.
#Html.ActionLink is tied into the MVC routing definitions. It isn't just a helper for writing an anchor tag, it uses routing to determine what the href looks like and how it's structured.
By using ActionLink you insure all your links are rendered based on how your MVC routes are configured.
Routing is powerful and can prevent the need of having to have lots of query string variables or hidden fields to pass around data.
Use #Html.ActionLink, in the end the extra effort is negligible.
Its a matter of preference.
Html.ActionLink() is just a HTML Helper which will ultimately render a <a> tag.
I prefer using <a> tag.
When using ActionLink to render data from database which has HTML tags
(ie <p>)
incorporated in it, ActionLink escapes the tags. What is the best way to handle this?
In valid (X)HTML, paragraph tags are disallowed inside of anchor tags, so I wouldn't expect the framework to allow it.
I don't know that you can turn off the XSS protection in the helper methods, but you can always build your own helper methods. Just make an extension method that hangs off the Html class.
If you just want to render some HTML from the database, you can use <%= ViewData["MyContent"] %> if you're controller loads the data into the MyContent view data. Just know that you have to clean this HTML yourself.
I have actions that take string id parameters that are based on a username which can include characters that require encoding, for instance "user?1"
If I use ActionLink() to generate the links, passing the string without encoding, it generates a link like this: http:\\localhost\controller\action\user?1, and the action gets passed "user" as the id.
If I UrlEncode() the string before passing it to ActionLink, then the link generated is: http:\\localhost\controller\action\user%253f1 as ActionLink will then encode the '%' character for you. Besides this looking ugly, it then also generates a HTTP Error 400 - Bad Request when following the link which I've not yet tracked down the cause of.
Is there any way that I can generate the url like: http:\\localhost\controller\action\user%3f1?
How about removing the ? character or replacing it with something else like a dash (-) or underscore (_) ?
You should look in the Global.asax.cs file
add another route for your convenience, in this case, the ff. might work:
routes.MapRoute(
null,
"{controller}/{action}/user/{id}",
new { controller = "Home", action = "Index" }
);
I guess this is what you want, to separate action for each users, but i suggest you use cookie for this purpose.
PS: Remember to put that one on top of your default route since routing is trying to match from top to bottom.
you can create a jquery plugin that check all the links and replace the char that you need to replace with the new value.
and after apply this plugin to all the ActionLinks