I have a bunch of database log messages containing references like Invoice 45 or Case 123 which I want to parse to output links to the appropriate invoice or case when displaying to the user.
These are fairly simple to parse with RegEx and replace with an action link using an ASCX display template, but is there a right way to do this? I imagine this means writing a parser to tokenise the string and prevent any potential circular references.
An HTML helper is probably a better fit - the parsing / display doesn't do anything that you could put in the ascx that isn't better handled in code.
Related
I am knocking together a quick debugging view of a backend, as a small set of admin HTML pages (driven by angulardart, but not sure that is critical).
I get back from my XHR call a complex JSON object. I want to see that on the HTML page formatted nicely. It doesn't have to be a great implementation, as its just a debug ui, but the goal is to format the object instead of having it be one long string with no newlines.
I looked at trying to pretty print JSON in dart then putting that inside <pre></pre> tags, as well as just dumping the dart Map object to string (again, inside or not inside <pre></pre> tags. But not getting to where I want.
Even searched pub for something similar, such as a syntax highlighter that would output html, but didn't find something obvious.
Any recommendations?
I think what you're looking for is:
Format your JSON so it's readable
Have syntax highlight
For 1 - This can be done with JsonEncoder with indent
For 2 - You can use the JS lib called HighlightJs pretty easily by appending your formatted json into a marked-up div. (See highlightjs' doc to see what I mean)
When I allow a user to enter text using s:textfield, he can enter something like <b>Name</b> or something like \Me/. I want that these should be escaped before I am saving them to the database. When we retrieve them, the escaping is done automatically, but I want it to happen also when we are saving it.
I was trying to return a json output from my action class, but due to a name \a/ stored in my database, wrong json was being formed. This would have been avoided if the name had been escaped before being saved into the database.
You can use StringEscapeUtils. You can call escapeJavascript(textfield) in your action and then store it into the database.
#Daud, The problem you explained is called Cross site scripting or XSS.
And I think you should use Filters to clean the request parameters. This is the most sophisticated way. You can call these filters for the actions which are posting some parameters via request.
Visit my blog to see how to avoid XSS threat using Filter approach.
I also faced this issue when our project was tested by well known firm specializing in security testing and they suggested this filter approach.
You can give it a try.
I am writing a web app that has to deal with urls containing hash character ("#").
I am using MVC 1 with ASP.NET 3.5 (VS 2008).
My urls are like this one:
www.mysite.com/token/?name1=value1&#&name2=value2
My issue is that I cannot find a method to get the original URL, but only get the substring before the hash character:
www.mysite.com/token/?name1=value1&
I used the MVC methods provided from the class HttpRequestBase.
Anyone can suggest me an alternate method to get the entire url?
Thank you, this is my very first question!
PS: I think maybe I have to encode my hash character, isn'it?
You cannot access anything after the # from the server-side - this is all Client-side. You will need to find another way to pass the information you want through to the server.
If you are posting, you can do this with hidden fields. If you are using ajax posts, you can pass the data within the model.
Any suggestions for best practice on validating/cleaning user input in ASP.NET MVC. It seems ValidateInput will almost always need to be set to False since it cant be handled from within the MVC framework (the error is thrown even before the Action Method is fired).
So how should the input be validated for malicious input. Do we have to manually screen each input and check it for characters such as <, >, " etc
How about if we only wish to allow some types of input such as tags but forbid and other inputs? This must be a pretty common requirement of a web app now, but I can't see much in ASP.NET MVC to automate this.
So how should the input be validated for malicious input. \
It depends on what your application is doing with this input. If you are storing it in a relational database for example, well, as long as you use parametrized queries and properly encode the user request, relational database don't care about storing for example alert('foo'); in a given column. When you might get into trouble is when you try to fetch the result stored in this database and show it on some view. It is at that moment that you must ensure that the result is properly HTML encoded.
So for example let's suppose that you have stored some hyper dangerous string in your data store and you want to display it on your view. If you were using the Razor view engine you would simply:
#Html.DisplayFor(x => x.SomeProperty)
which will take care of properly HTML encoding the value of SomeProperty so that you don;t have to worry about.
And if you were using the WebForms view engine:
<%= Html.DisplayFor(x => x.SomeProperty) %>
So, as you can see there are two critical moments where you should be careful with the user input:
always use parametrized queries if you are storing this user input into a relational database
always HTML encode the value you have stored when time comes to render it on some view
I am unsure of the best way to handle this. In my index view I display a message that is contained in TempData["message"]. This allows me to display certain error or informational messages to the user when coming from another action (for example, if a user tries to enter the Edit action when they don't have access, it kicks them back to the Index with a message of "You are not authorized to edit this data").
Prior to displaying the message, I run Html.Encode(TempData["message"]). However, I have recently come into the issue where for longer messages I want to be able to separate the lines out via line breaks (<br>). Unfortunately (and obviously), the <br> gets encoded by Html.Encode so it doesn't cause an actual line break.
How do I process line breaks correctly in Html Encoded strings?
The easiest solution I've seen is:
#MvcHtmlString.Create(Html.Encode(TempData["message"]).Replace(Environment.NewLine, "<br />"))
If you are using a razor view, you should not have to call Html.Encode normally. By default, Razor html encodes all output. From Scott Gu's blog introducing Razor:
By default content emitted using a # block is automatically HTML encoded to better protect against XSS attack scenarios.
I agree with #Roger's comment - there is not really any need to encode anything that you have total control over.
If you still wish to be better safe than sorry (which isn't a bad thing), you could use the Microsoft AntiXss library and use the .GetSafeHtmlFragment(input) method - see HTML Sanitization in Anti-XSS Library
e.g.
<%= AntiXss.GetSafeHtmlFragment(TempData["message"]) %>
FYI, the Microsoft Web Protection Library (A.K.A. Microsoft AntiXSS Library) developers seem to have broken the assembly and pulled all previous versions that were working. It is no longer a viable solution in its current state. I was looking at it as a solution for this problem before reading the comments. All 18 of the current ratings for the latest release are negative and complain about it being broken with no updates from the developers so I didn't even try it.
I went with #ICodeForCoffee's solution since I'm using Razor. It is simple and seems to work quite well. I needed to take potentially lengthy descriptions with line breaks and format them so the line breaks would come through in the page.
Just for completeness, here's the code I used which is #ICodeForCoffee's code modified to use the description field of the view's model:
#MvcHtmlString.Create(Html.Encode(Model.Description).Replace(Environment.NewLine, "<br />"))
"Process" the message in the controller:
HTMLEncode the message
Insert the line break tags
Add message to the TempData collection.
Try this:
StringBuilder sb = new StringBuilder();
foreach(string message in messages)
{
sb.Append(string.Format("{0}<br />", Server.HtmlEncode(message));
}
TempData["message"] = sb.ToString();