I have extended the pages table with one text field named TypoScript.
My intention was to use this field in TMENUs so that I can display arbitrary content as — for example — a dropdown for that page.
I know how to parse and output TypoScript in an extension, but I'm not sure if there's a way to do that in TypoScript alone.
So, in summary: Is it possible to have a TypoScript string and parse and output it in TypoScript?
You have to use a user function for that.
To be more specific, you have to use either the USER or the USER_INT content object.
Related
I want to use the output of {{Special:Editcount/User}} in #expr to calculate something. But of course the output is handled as a string, even if I split it into its figures with #sub. So how can I make it being recognized as int? Any idea?
Try {{formatnum|{{Special:Editcount/<user>}}|R}} (docs).
You cannot do that, because embedded special pages such as {{Special:Editcount}} are filled out at load time, after the Wikitext has already been parsed. In order to parse such content you will need runtime JavaScript.
I am wondering if it is consider good practice to encode user input to database.
Or is it ok to not encode to user input instead.
Currently my way of doing it is to encode it when entering database and use Html.DisplayFor to display it.
No. You want to keep the input in its original form until you need it and know what the output type is. It might be HTML for now, but later if you want to change it to json, text file, xml, etc the encoding might make it look different then you want.
So, first you want to make sure you are securely validating your input. It is a good idea to know what are the requirements for each of your inputs and validate that they are withing the correct length, range, character set, etc. It will be to your interest to limit the type of characters that are allowed as valid characters of an input type. (If using Regular Expressions to validate input ensure you do not use a regular expressions that is susceptible to a Regular Expression Denial of Service.
When moving the data around in your code ensure that you are properly handling the data in a manner that it will not turn into an Injection Attack.
Since you are talking about a database, the best practice is to use paramaterized statements. Check out the prevention methods in the above link.
Then when it comes outputting using MVC, if you are not using RAW or MvcHtmlString functions/calls, then the output is automatically encoded. With the automatic encoding, you want to make sure you are using the AntiXss encoder and not the default (whitelist approach vs. blacklist). Link
If you are using Raw or MvcHtmlString, you want to make sure you COMPLETE TRUST the values (you hard coded them in) or you manually encode them using the AntiXss Encoder class.
No it is not necessary to encode all the user inputs, rather if you want to avoid the script injection either you my try to validate the fields for special characters like '<', '>', '/', etc. else your Html helper method itself will do the needful.
I am just starting a very basic program in Grails (never used it before, but it seems to be very useful).
What I have so far is:
in X.groovy,
a String named parameters, with constraint of maximum length 50000 and a couple other strings and dates, etc.
in XController.groovy,
static scaffold = X;
It displays the scaffold UI (very handy!), and I can add parameter strings and the other objects associated with it.
My problem is that the parameters string is a long string with formatting that is pasted in by the user. When it is displayed on the browser, however, it does not retain any carriage returns.
What is the best way to go about this? I'm a very beginner at Grails and still have lots and lots of learning to do on this account. Thanks.
The problem is that the string is being displayed using HTML which doesn't parse \n into a new line by default. You need to wrap the text in <pre> (see: http://www.w3schools.com/tags/tag_pre.asp) or replace the \n with <br/> tags to display it correctly to the user.
Is there a way to get a list of sections defined in a layout file? For example, if I want to know what sections are defined in my Shared/_Layout.cshtml file is there a way to parse that Layout file so that I know what sections exist in the layout?
There's no built-in function I'm aware of because the name isn't necessarily known without executing the view.
You can probably just run a regular expression over your layouts, like
[^#]#RenderSection\(\s*"(?<name>[^"]+)"\s*\)
which accepts #RenderSection("foo") or #RenderSection( "foo" ), but skips ##RenderSection (the ## escaped #).
However, this assumes that the name of the section is passed in as a string literal. The view could also look like (not your typical situation, but possible):
#RenderSection(Model.SectionName)
In that case you're pretty much lost.
I want to display raw data of one value from database. Table is quite big, with a lot of data and i need only 5 columns on index page. So i defined needed columns in criteria and used doSelectStmt with pager to paginate result.
Im displaying it like this:
http://pastebin.com/bccSkjs1
TEXT field contains some HTML and i want to display it normally (not escaped). However, 3 other fields (not show in code above) have to be escaped, because they can have some html too, but it cannot by interpreted as html.
I know that in normal object, i can do: $sf_data->getRaw("foo")->getBar() instead of $foo->getBar() to get expected result.
But how i can get same, when i dont have normal object, only array of data like in this case?
I know i can do $sf_data->getRaw("pager")->getResults() in a foreach, but it will unescape ALL fields which is tottal wrong!
Do you have to access the properties via arrays (which is ugly btw)?
If you were accessing the properties via the object getter methods, you could do:
echo $News->getText(ESC_RAW);
And your text field would be escaped.