I'm an asp.net mvc 3 newbie, I'm developing a site that allow user customize their layout and use razor template engine. Thay could direct edit the template file.
How to retrict user from only allow uses some explicit helper in a template. I dont want user access other dangerous server functions, and only use what I added.
Thanks
There are two cases:
You trust your users: in this case you shouldn't be worried as they won't break your site
You don't trust your users (most probable): in this case giving them the possibility to directly modify the templates seems a risky affair. You will need a pretty solid sanitizing tool that will filter all other helpers that you don't want. It's just too broad. Giving them the possibility to write markup would be OK with for example some WYSIWYG editor like WMD but giving them access to server code is asking for trouble.
Related
I work on a big Active Directory Project where I need to remake the whole intranet application using ASP.NET MVC. I was wandering if Razor was a necessity here ? Especially for forms, I'm having a hard time with Razor forms (what a noob).
I have read that Razor is essential for scalable applications, which I guess is the case here, but if I could dodge this ugly stuff, that would be great.
In the end, do I need to use it for everything?
I have seen examples on the net that use classic HTML forms, and Razor for conditions and such. I don't mind using it for conditions, I just can't figure out how to render my forms with it. Is it ok to use normal html forms, or will it create some scalability issues in the future when I have 1 billion documents? :)
Thanks for your help, hope this isn't too redundant, I've seen this subject all over the place.
You don't need to use the Razor Html Helpers to generate form/input tags (you can use standard HTML markup), but you'll miss out on some of the benefits (specifically integration with a viewmodel to pre-populate fields, validation, etc). You'll also need to make sure your input names match up properly when capturing the FORM POST on the submission side.
It's up to you want you want to go with.
This can help you decide.View Engine Comparison
i have to create a new asp.net mvc page that integrates content provided by a cms on the server side static. my mvc page provides a masterpage with the navigation and certain links should point to pages of the cms (which is installed on the same server). it should be something like a "server side iframe".
my idea is to create a controller which loads the page of the cms using a webrequest, extracts the body part of the page and passes the extracted data to the view. the view simply outputs the passed html. i also plan to add some logic to pass post requests to the cms (for news letter subscriptions, contact forms, ...)
now my question is: is it possible to implement this solution? or is there a better way to do this on the server side?
Could you use Application Request Routing to just hand off requests to your CMS, or do you need to include the externally provided content within an existing masterpage?
If you need to use the masterpage I would stick to the solution you suggest, although I might investigate the most robust and efficient option for querying the content from the CMS and perhaps if caching would be a good option.
It is undoubtedly possible, but keeping track of users, authentication, cookies etc. seems like a really tedious job. Also, embedding css classes, hard-coded styling etc. from the CMS in your MVC site could give you a severe headache.
If the CMS isn't home-brewed it probably has an API. In that case I would much prefer to use the API to get at the data I needed and then render that data using pure MVC. This will give you a much cleaner and more stable integration with the CMS.
We have a grails-groovy(right now version 1.3.7) based application with Oracle 11g database.
We have to make it OWASP complaint so we are thinking of all possible security enhancements/plugins.
The main issue is here:
We have a create email template feature in our application where a user can create a new email template and save it. The Use has to write code manually in this template page to create the template. (The implementation is done we need to secure it!)
The code consists of
1) groovy code
2) grails tags
3) SQL select queries (we can restrict the user to readonly so that no Insert and Delete etc are available)
4) HTML tags
The template is used by the application where it compiles, executes and applies the template to emails before sending them out.
I know about markup-sanitizer plugin and the HDIV api and thinking about them, but how Can I secure this feature more?
I guess this is a feature where you have to trust your users. From my point of view, you can't sanitize this kind of markup - there are too many ways how to inject malicious code. (See book "Writing Secure Code")
When it comes to OWASP, you always have to analyze the threat: how likely is an attack and how much harm can be done. If only admins (which you trust) have access to this template engine, then I guess the risk is low.
Otherwise you have to create a template generator instead of a free-form templates. But even this sounds from your description to be a big effort since you would need an SQL query builder and some kind of template builder.
So I guess you should try to redefine the requirement in such a way that a secure implementation is possible.
It should be free. Easily integrable with asp.net mvc. Extremely light-weight. It must sanitize the input.
for example, say if the user enters
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
It must not break the formatting of the page!
if the user enters some nasty html or maybe any html at all or any javascript code, it should reject that.
It would be awesome if it did some sort of cuss-word checking too, but that is not a requirement.
It can be jquery based.
Before you feel tempted to mark this question as duplicate, do check whether other questions are very old or something like that.
There are lots of RTEs that can be easily integrated into an asp.net page.There are many that are jquery based. See here I use server side code to sanitize. There are a number of classes that can be used to sanitize html. Run the user entered text thru the sanitizer to strip the markup.I am using http://roberto.open-lab.com/2010/03/04/a-html-sanitizer-for-c/
Jeff Atwoods code is here
Also see this SO post
I am creating a service in which I want to allow end-users to edit HTML templates for web pages that allows for access to specific "variables" for inclusion in the template.
I know that liquid was designed for this very purpose, is secure (at least relatively), and is in heavy production use. However, I find the language to be fairly complex for end-users as compared to something like Mustache.
Mustache sounds great, but I am concerned about security... has it ever been used for end-user templates?
Basically I am looking for a templating engine I can use w/ Rails for end-users that is:
Secure - will not allow the execution of code by the user... at least not on the server. Users will be allowed to insert client-side javascript.
Powerful - allows end-users to create pretty much any web page they can imagine using the supplied "variables" and within the context of #1
Simple - the syntax is clear and easy for end-users to apply
Bonus points if there is support for rendering the template syntax in javascript and other languages.
Liquid meets 1 & 2, but not 3-4. Mustache meets 2-4, but I'm not sure about #1 and that is non-negotiable.
Greatly appreciate any insights, experiences, or comments.
Mustache is fantastic for interpolation and I can't imagine it ever exposing you to server-side vulnerabilities if you're using it for Javascript evaluation. It's the simplest, most powerful option. I don't know that non-programmers would understand it, but I'm sure it's simpler than Liquid.
Another option would be to use an existing simpler user markup set like BBcode or a rich-text editing library like TinyMCE. These are much reduced in functionality, but are easier to use for average people.