Say, I am creating a web project. I know where I would use HTML, CSS, javascript, and PHP(WAMP).
Now, Where and why would I use XML, XHTML/HTML5(wow it says vector graphics are possible with HTML5?), and Rails or Pylons?
I'm sorry if this looks like a n00b question. I'm not asking how to learn, or what it is - just where and why in a web project would I - if I have to - use it.
You would use XHTML or HTML5 instead of HTML, because XHTML and HTML5 are specific versions of HTML. HTML5 is the newest one.
You would use Ruby or Python instead of PHP, because you prefer one of them over the other ones.
You would use XML when talking to a foreign web service like Twitter, because you need to serialize data in some way. You can also use JSON instead of XML.
Related
I'd like to implement a WYSIWYG HTML editor in my web application. I looked at the Codeplex AntiXSS by Microsoft for Crosssite Scripting protection, and the feedback seems really bad.
The alternative I have in mind is converting the input from the editor to RTF and then back to HTML and only then ship it to the database so it can be served later. I understand that this is an incredibly inefficient method, but the question is if that way I can guarantee no scripts at all. or in other words, can this provide me a complete XSS protection?
Should I render a Partial with the information of the current data I have, or send a JSON and let javascript create the elements, with the information found in the JSON?
What's safer and more efficient?
This is really a matter of personal preference. There's no simple single answer as to whether you should use a javascript framework (or even roll your own) on the front end, or to use various rails templates to send the data.
I think if you're buiding the entire front end in a javascript framework then stay consistent with that. If you're building most of the site with erb or haml templates then stick with that. I'd avoid mixing the two too much, personally.
My site allows site-users to write blog-posts
class BlogPost
{
[AllowHtml]
public string Content;
}
The site is created using a MVC5 Internet application template and uses bootstrap 3 for it's CSS. So I decided to use http://jhollingworth.github.io/bootstrap-wysihtml5 to take care of all the JavaScript Part of a Rich Text Editor.
It works like a charm. But in order to make the POST happen, I had to add the [AllowHtml] attribute as in the code above. So now I'm scared of dangerous stuff that can get into the database and be in-turn displayed to all users.
I tried giving values like <script>alert("What's up?")</script> etc in the form and it seemed to be fine... the text was displayed exactly the same way (<script> became <script>. But this conversion seemed to be done by the javascript plugin I used.
So I used fiddler to compose a POST request with the same script tag and this time, the page actually executed the JavaScript code.
Is there any way I can figure out vulnerable input like <script> and even Link...?
Unfortunately, you have to sanitize the HTML yourself. See these on how people did it:
How to sanitize input from MCE in ASP.NET? - whitelist using Html Agility Pack
.NET HTML Sanitation for rich HTML Input - blacklist using Html Agility Pack
An alternative to accepting HTML is to accept markdown or BBCode instead. Both of them are widely used (markdown is used by stackoverflow!) and eliminate the need to sanitize the input. There are rich editors available too.
Edit
I found that Microsoft Web Protection Library can sanitize HTML input
through AntiXss.GetSafeHtml and AntiXss.GetSafeHtmlFragment.
Documentation is really poor though and seems like you can't configure which tags are valid.
I faced the same problem sanitizing wysihtml5 content on the server side. I was rather charmed by how wysihtml5 performed client side sanitation and implemented this using Html Agility Pack: HtmlRuleSanitizer on Github
Also available as NuGet package.
The reason for not using Microsoft's AntiXss is that it's not possible to enforce more detailed rules like what to do with tags. This results in tags being completely deleted when it for example would make sense to preserve the textual content. In addition I wanted to have a white listing approach on everything (CSS, tags and attributes).
I am trying to create simple app but it will give me headache to implement simple plugin like tabbar so i have created it using simple HTML.
So my question is if i create my app using simple HTML not even using HTML5 than does it make any difference? Does apple approve it?
No. It shouldn't matter.
HTML5 adds more features to HTML. So any browser which can render HTML5 can render HTML too. But why don't you use HTML5 new features. Anyway, if you stick into HTML. You misses out the ability to use any HTML5 based libraries.
Is there a templating language that has both server-side ruby (pref. rails) and JS renderer?
Here is why this would be useful: Consider you want to display a big list of songs. You render the first 50 and a "show more" button.
"Show more" would link to the next 50 songs or would load those with AJAX if JavaScript is enabled.
The simple solution is to return a rendered piece of HTML from the server, but consider how nice would it be songs were returned as JSON and then were rendered using the same template on the client side.
Mustache.
It is Ruby based but there are several different implementations, including JS.
hamlc supports both sides...
slim has a client side version too it is called skim.
Node.js offers the appeal of using javascript on both the server and client side. If you are looking for something more ruby-on-rails like, then check out express.js which is a web-framework built on Node.js. Both of these are server-side frameworks but they offer libraries which can be used on the client side.
Something to keep in mind is that if you are rendering views from JSON data on the client side then you will need to have the client load the javascript libraries to perform these operations and then render the views - which may be a costlier operation. That said, if your view is simple enough, you can always write a simple javascript function of your own to render your JSON data rather than relying on an entirely new framework and view renderer.