You can see a live example of my little ASP.NET MVC3/Razor app here.
The text boxes and textareas all have the following attribute to require just word characters. The form uses jquery-validate.js.
pattern = #"\w{1,50}" //50 characters, etc.
In Firefox only (v13.0.1) these fields are getting highlighted as if they are invalid when they include spaces, or characters like dots, both of which should be legit characters. Why just this browser and how should I correct it? Should I be using a different pattern?
UPDATE: I realized that it is the built-in HTML5 "pattern" attribute that is being handled differently by Firefox, which is why the form still submits OK.
Related
Assuming no tags are allowed in the user input and we want to sanitize user input before storing it in the database, in Rails, we have the options of using sanitize (whitelist an empty set of tags) and strip_tags.
Which is better against XSS attacks? If something else is even better, what is that? And why is it better?
As of Rails 3 and the fatty beatdown the Rails core dev team took when they made Rails unsafe by default, all strings are now tagged as either safe or unsafe with "unsafe" strings being the default. You only need to think about explicitly managing the "safeness" of strings in Rails when you're writing helpers that output HTML into your template.
Escaping vs Sanitizing:
In this context, escaping means replacing some of the string characters with an HTML escape sequence that will remove the special meaning from the text and cause it render as regular text. Sanitizing on the other hand, means validating the HTML content to ensure only good HTML tags and attributes are used. Note that sanitizing is inherently less secure than escaping because of this and should only be used where rendered content must contain HTML markup. An example would be a WYSIWYG HTML editor on a textarea that manages code that is later rendered on a page.
Sanitize encodes all tags and strips all attributes (not specifically allowed which is all in your case) from the html string passed to it. It also strips href and src tags with invalid protocols to prevent any abuse of js attributes. Strip_tags on the other hand will strip all supplied tags including comments which sounds like exactly what you want. As long as you're whitelisting params and adding them to your DB properly escaped such as:
Title.where(author = ?, author_id)
and not blindly inserting user input into your db I would be comfortable with how you're setup.
I'm working on a webmail alike application.
What ist the best solution to escape 'bad' characters and strings like '' etc.?
Common HTML-Tags such as ul, br, img etc. should still be interpreted by the browser as valid HTML.
I already played arround with rgrove/sanitize but the results weren't promising, besides i need to escape, not sanitize the bad characters.
-e-
i'm using DHTMLX, maybe i can use one of it's components?
-e2-
i now display the mail content in a iframe. But i still need to get rid of javascript in the mails, any help?
I am developing a site in mvc4 where the content of the site includes both latin and cyrillic characters. Both are included in markup and both display correctly on screen.
However, within the markup, I have seen issues with cyrillic where url's for example are like following:
/%d1%81%d0%bf%d0%b8%d1%81%d0%be%d0%ba%20%d0%bf%d0%be%d0%b6%d0%b5%d0%bb%d0%b0%d0%bd%d0%b8%d0%b9
The url navigate correctly when clicked on, but incorrect in html markup. I have the meta charset set to utf-8 in a meta tag.
Any ideas whats causing this?
What you see is correct %-encoded (aka. URL-encoded) form of the URL “/список пожеланий” (as you can see using a decoder). Browser may display a URL in their address bar as %-encoded, or as decoded to characters. HTML authoring software or, in manual editing of HTML code, the author should take care of %-encoding anything that needs to be %-encoded at the HTTP protocol level, such as href attribute values.
I am having trouble in using tinymce editor with rails 3. I want to show text in bold letters and having trouble using tags like when I write something in p tags It should go to next paragraphs. in my case this tags is not working. It remains on same lines and display p tags on site page.
The usual suspect when it comes to rails 3 printing raw html output to the site, is that someone forgot to call html_safe on whatever text should be printed.
So if you have a #my_model_instance.description that you edit with tinymce, you might want to make the view look like #my_model_instance.description.html_safe, or as they suggest in the comment on the documentation, raw(#my_model_instance.description).
If the text is coming from user input, however, you might want to be a bit cautious, since it might be possible for users to input all sorts of nasty injection hacks this way.
We have translated one of our pages to french and all the html within the page displays flawlessly. That said, there is a javascript table (ext js) and the accented characters are not displaying correctly. The page is encoded UTF-8 in the HTML meta tags, but when I look inside FireBug, I see the following:
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
I'm guessing the problem is related to the ISO-8859-1 having worked its way back in. Does anyone know why the page itself would display fine, but the text inside the javascript component wouldn't? Do you somehow specify the encoding separately for the javascript files?
The Accept-Charset tag gives a set of encodings that are accepted -- if all the data sent is encoded UTF-8, then don't worry about it.
Can you elaborate on exactly what is happening?
You say "javascript table" -- I presume you are constructing an HTML table in JS and placing it in the DOM? Please elaborate, especially w.r.t. any character conversions. Are you building HTML text or building with DOM elements with attributes?
Where does the JS get its data? If with AJAX, have you verified the Encoding for that page?
Does the JS use encode() or decode()? Those don't handle UTF-8 correctly.
EDIT:
Type the URL to the JS code in your browser, and look at "Page Info" to see its encoding. I'll bet it is ISO-8859-1, which would explain the header problems.
Next, check the encoding of the AJAX data. If it's dynamically created you can:
Enable "Show XMLHttpRequests" in FireBug's console,
Load on your base HTML page,
Open the FireBug console tab,
Expand the AJAX GET/POST request and open the Response sub-tab,
Check the Encoding for the data, and fix as needed.
BTW, I'm having similar problems and haven't entirely ironed out the issues (still not sure the source data isn't badly encoded).
It's possible that the ext. JS file strips out unrecognised characters as a security precaution.
The "Accept-Charset" header can be specified in a number of places, including as an attribute in certain HTML elements. Have you performed a search for Accept-Charset (case insensitive) in the offending file?