I am inserting html in database for the first time so I need some advice am I making it right and safe.
I have class with property:
[AllowHtml] public property Description {get;set}
In View I have a tinyMCE (on text area) where user input his data.
When I display that html later I use:
#Html.Raw(Model.Description)
I don't know should I do something else to prevent some attack on site.
I have tried to input:
<script>alert('attack');</script>
but nothing happens it saves it in database and display as a normal text later.
Also I wonder if user leave some tag unclosed can he break my layout somehow.
What are smart steps when dealing with scenario like this?
What should happen is that the html should be encoded before it is written to the database. If you look in your database you should see something like this (or at least if things are safe you should):
<script>alert('attack');</script>
Now when this is written to the page by html raw, it appear on screen as it did when it was submitted, but if you inspect the page you will still see the same thing.
ASP.Net actually makes it very difficult to write code that opens your site up to abuse, so you should generally be fine. It is worth doing some more reading around the topic though as it's good stuff to be aware of especially if mentoring others.
Some links:
Preventing Javascript and XSS attacks
http://msdn.microsoft.com/en-us/library/ff649310.aspx
You can use the Microsoft AntiXSS from the Windows Protection Library.
TinyMCE, AntiXSS, MVC3 and GetSafeHtmlFragment
Cheers.
Related
I am working on porting a legacy application (runs on IE 6/compatibility) using jQueryMobile. In the legacy app, they let the user use HTML to format their text for display. I understand that when rendered, they use iFrames so that when the user's HTML doesn't break the whole page (and lose navigation controls etc..,) So the HTML is not always 'clean', but only messes up display in a localized way.
I'm looking for a widget or something that I can pass it a string that may or may not be good HTML, and it will contain any display problems to that area and not break the whole page.
Every user able to enter the HTML has to log into the system, and all changes are logged by user, so we are not concerned about them trying to enter malicious HTML, we just want to protect them from honest mistakes and 'really old' deprecated HTML. And because we run offline (appcache/local database) we don't want to force them to go back to the server and reload data just because they made a mistake with their HTML.
I'm building a web site (using ASP.NET, MVC 3, Razor) and I'm not using an off the shelf CMS. This is because I evaluated a lot of existing CMS's, and found them all to have a massive learning curve, tons of features I didn't need, and they force you into a page oriented model. By "page oriented model", I mean that you can specify a general page layout and stylesheets, but the object that the user can edit is a whole page, which displays, for example, in a central panel, and maybe you can customize the sidebars as well.
But this site is very design centric, and needs to be much more fluid and granular than this. By "design-centric", I mean that the site was built in Photoshop by a graphic designer, and there is heavy use of images and complex styling to map the design to HTML/css/js. Also, every page on the site is totally different. There are also UI elements such as accordion panels, in which we need the user to be able to edit the content of each panel, but certainly not the jQuery+HTML that powers the accordion. The users are subject matter experts but very non-technical.
So I'll have a page with lots of complex layout and styling, which I don't want the user to access, but within this there will be, say, a div containing text that I would like the user to be able to edit.
How can I best accomplish this?
So far, I'm implementing this by having snippets, which are little units of html, stored in external files, that the user can edit. In run mode, these are loaded and displayed inline (with a little "Edit This Content" button if you're logged in and have permissions). If you click the Edit button, you get a little WYSIWYG editing screen, where you can edit and save changes. So I can control all the messy stuff, and put in little placeholders for user editable content. But this isn't entirely simple for me, and I'm wondering if there's a better way.
Don't mean to necro this, but it seems to be the most relevant question to what I'm currently researching. I recently built something similar as you described above, but I'm pulling data from a database instead of static files. For each page (like /about or /contact) in the Controller I pull data for that page from the DB in the form of a Json string key/value pair. Key is the placeholder tag, Value is the.. value. After deserializing, I simply populate a list and assign it to a ViewBag, then in the CSHTML I ViewBag.List.Keyname to grab the text.
I have a small admin control panel which allows me to modify the text in the database. Having little hover-overs like you do is a great idea though!
Well, I stuck with my original plan:
So far, I'm implementing this by having snippets, which are little
units of html, stored in external files, that the user can edit. In
run mode, these are loaded and displayed inline (with a little "Edit
This Content" button if you're logged in and have permissions). If you
click the Edit button, you get a little WYSIWYG editing screen, where
you can edit and save changes. So I can control all the messy stuff,
and put in little placeholders for user editable content. But this
isn't entirely simple for me, and I'm wondering if there's a better
way.
It works reasonably well for now.
I'm studying a solution to manage data coming from a textarea edited by users.
I'll have to give the chance to the users to add some basic HTML tags (links, bold, list and something else).
My big concern is about the security.
The data will be saved in a mySql db.
Any advice in order to avoid as much as possible security problems?
What is the best way to save this kind of text in a database ?
Thank you
The best way to solve this is to make a whitelist of the allowed tags. Through JavaScript you can warn the users that they are entering invalid data, but to secure your data at the server side you need to strip them out of the content. A script tag for example should be handled with care. If you want your users to enter those, and other users to be able to view it, some more complex handling is needed.
A neat solution is to escape all the white listed tags and to encode the other ones as characters, so that a <script> tag becomes <script>. That way, if you output it in your html it won't be seen as a valid tag but as characters placed after each other.
If you need a more specific solution for your own language please provide some more details, but this is sufficient as a global concept.
I have a Rails application that has a search field that allows any visitor to search a database.
I'm hesitant to implement a Captcha because I'd like to keep the site clean and user-friendly.
However, I'd like to make it difficult for bots to try to harvest everything from the database by making tons of consecutive random queries. So I'm considering adding a Captcha that appears only if it looks like this is happening (e.g., the Captcha appears after a few bad searches).
Any suggestions for how to implement this? Should I try to use a session variable or keep track of IP addresses? Would I better off handling this issue at the server level (i.e., with an htaccess file)?
Consider using a honeypot. That means adding a form element that you hide with CSS. Bots cannot see that you've hidden the field and they will fill it in. Normal users will not fill it in.
I'm having some problems with Html.Encode and users wanting to use special characters. Firstly the characters are replaced by the html codes and so are not displayed properly. And then, if the text is later edited and re-submitted, an exception is thrown when these html codes are re-submitted.
Given that this is an intranet site and the possibility of a deliberate attack is almost non-existant, is there really any risk to not using Html.Encode? Is there any possiblity that someone would inadvertently submit some special characters which cause problems?
Or is there a better way around this problem?
Given that this is an intranet site
and the possibility of a deliberate
attack is almost non-existant, is
there really any risk to not using
Html.Encode
Yes, yes and yes again. There's always a risk by someone entering special characters in input fields. The golden rule of web development is never trust user input and always encode anything that might come from an user input.
Check everywhere you are calling Html.Encode as it sounds like you're double encoding your strings (possibly encoding on save and on display or encoding on a template/partial and encoding that again).
And yes always encode your strings even if it's internal, otherwise one disgruntled employee could cause some serious damage.
Firstly the characters are replaced by the html codes and so are not displayed properly
You are double encoding. You actually want to Html.Encode to display the HTML tags the user entered at all. Unless you actually want things like <ul><li> to be a bullet list instead of showing the tags.
And then, if the text is later edited and re-submitted, an exception is thrown when these html codes are re-submitted.
Whatever you did to allow the initial submission of those, will work to allow edit. Again, maybe because of the double encoding, you are getting into further issues.
Given that this is an intranet site and the possibility of a deliberate attack is almost non-existant, is there really any risk to not using Html.Encode?
Deep down You already know that way of seeing security is wrong ;)