I've got wiki style content which is sanitized and stored in another field of the db for output as html. The original body field I'm not sure how to deal with as when I santize it characters are escaped and don't display well in the textarea.
What are the dangers of unsafe content in textareas? I'm sure I read previously that downloading such textarea content with ajax is preferable but I'd rather not go down that route if not necessary.
all HTML tag are no safe. by example if you close the textarea, you can add all nez HTML tag or what you want like JS. So it's exactly like inside a non textarea tag.
Related
I'm building an application that has a HTML GUI interface to create, move and edit boxes (div) inside a container div. These boxes get assigned inline styles when editing, these inline styles are saved to the database and are output in the views:
<%= sanitize raw(#slide.content) %>
I want to sanitize the HTML itself, to avoid someone hacking in, for instance, a script tag, through sending that by editing what's sent to the server when the boxes are saved.
Rails 4 has a helper method sanitize available through the class ActionView::Helpers::SanitizeHelper. When I use this with a test content value that contains a malicious <script> tag, the script gets removed just fine. But sanitizing the content also strips CSS properties inside the style tag that are necessary for the boxes, like top, left, position, etc.
In the linked documentation, it's stated that sanitize will automatically use the function sanitize_css when it comes across a style attribute:
sanitize_css(style)
Sanitizes a block of CSS code. Used by sanitize when it comes across a style attribute.
I do not want this behaviour of sanitize. How can I disable sanitize using sanitize_css, to sanitize the HTML, but not the CSS?
You can allow any attributes and tags you need, so rails will skip them.
sanitize raw(#slide.content), tags: %w(table tr td ul li), attributes: %w(style href title)
Speaking about CSS rules themselves, it's a bit harder to allow additional rules, but still possible. You can monkey patch the HTML::WhiteListSanitizer class (https://github.com/rails/rails/blob/c71c8a962353642ee44b5cc6ed68dc18322eea72/actionpack/lib/action_view/vendor/html-scanner/html/sanitizer.rb). There are several attributes that can help.
In your config/application.rb file:
config.action_view.sanitized_allowed_tags = nil
config.action_view.sanitized_allowed_attributes = nil
safe lists found here: loofah html5 safelist
With a grails app and from a local database, I'm returning some text in a xml format.
I can return it well formed in a <textarea></textarea> tag with the correct indenting (tabulation, line return,...etc.)
I want to go a bit further. In the text I'm returning, there are some <img/> tags and I'd like to replace those tag by the real images themselves.
I searched around and found no solution as of now. I understood that you can't add an image to a textarea (other then in a background), and if I choose a div tag, I won't have the indenting anymore (and therefore, harder to read)
I was wondering if using a <g:textField/> or an other tag from the grails library will do the trick. And if so, How can I append them to a page using jquery.
For example, how to append a <g:textField/> in jquery. It doesn't interpret it and I get this error
SyntaxError: missing ) after argument list [Break On This Error]...+doc).append("<input type="text" id="FTMAP_"+nb_sec+"" ...
And in my javascript file, I have
$("#FTM_"+doc).append("<g:textField id='FTMAP_"+nb_sec+"' ... />
Any possible solutions ?
EDIT
I did forget to mention that my final intentions are to be able to modify the text (tags included) and to have a nice and neat indentation so that it is the easiest possible for the end user.
You are asking a few different questions:
1. Can I use a single HTML tag to include images inside pre-formatted text.
No. You will have to parse the text and translate it into styled text yourself.
2. Is there a tag in the grails standard tags to accomplish this for me?
No.
3. How can I add grails tags from my javascript code.
Grails tags are processed on the server-side, and javascript is processed on the client. This means you cannot directly add grails tags via javascript.
There are a couple methods that can accomplish the same result, however:
You can set a javascript variable to the rendered content of a grails tag. This solution is good for data that is known at the time of the initial request.
var tagOutput = "${g.textField(/* etc */)}";
You can make an ajax request for the content to be added. Then your server-side grails code can render the tags you need. This is better for realtime data, or data that will be updated more than once on a single rendered page.
I am developing a site in mvc4 where the content of the site includes both latin and cyrillic characters. Both are included in markup and both display correctly on screen.
However, within the markup, I have seen issues with cyrillic where url's for example are like following:
/%d1%81%d0%bf%d0%b8%d1%81%d0%be%d0%ba%20%d0%bf%d0%be%d0%b6%d0%b5%d0%bb%d0%b0%d0%bd%d0%b8%d0%b9
The url navigate correctly when clicked on, but incorrect in html markup. I have the meta charset set to utf-8 in a meta tag.
Any ideas whats causing this?
What you see is correct %-encoded (aka. URL-encoded) form of the URL “/список пожеланий” (as you can see using a decoder). Browser may display a URL in their address bar as %-encoded, or as decoded to characters. HTML authoring software or, in manual editing of HTML code, the author should take care of %-encoding anything that needs to be %-encoded at the HTTP protocol level, such as href attribute values.
We have translated one of our pages to french and all the html within the page displays flawlessly. That said, there is a javascript table (ext js) and the accented characters are not displaying correctly. The page is encoded UTF-8 in the HTML meta tags, but when I look inside FireBug, I see the following:
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
I'm guessing the problem is related to the ISO-8859-1 having worked its way back in. Does anyone know why the page itself would display fine, but the text inside the javascript component wouldn't? Do you somehow specify the encoding separately for the javascript files?
The Accept-Charset tag gives a set of encodings that are accepted -- if all the data sent is encoded UTF-8, then don't worry about it.
Can you elaborate on exactly what is happening?
You say "javascript table" -- I presume you are constructing an HTML table in JS and placing it in the DOM? Please elaborate, especially w.r.t. any character conversions. Are you building HTML text or building with DOM elements with attributes?
Where does the JS get its data? If with AJAX, have you verified the Encoding for that page?
Does the JS use encode() or decode()? Those don't handle UTF-8 correctly.
EDIT:
Type the URL to the JS code in your browser, and look at "Page Info" to see its encoding. I'll bet it is ISO-8859-1, which would explain the header problems.
Next, check the encoding of the AJAX data. If it's dynamically created you can:
Enable "Show XMLHttpRequests" in FireBug's console,
Load on your base HTML page,
Open the FireBug console tab,
Expand the AJAX GET/POST request and open the Response sub-tab,
Check the Encoding for the data, and fix as needed.
BTW, I'm having similar problems and haven't entirely ironed out the issues (still not sure the source data isn't badly encoded).
It's possible that the ext. JS file strips out unrecognised characters as a security precaution.
The "Accept-Charset" header can be specified in a number of places, including as an attribute in certain HTML elements. Have you performed a search for Accept-Charset (case insensitive) in the offending file?
I am using FckEditor in Create.aspx page in asp.net mvc application.
Since I need to show rich text in web pages, I used ValidateInput(false) attribute top of action method in controller class.
And I used Html.Encode(Model.Message) in Details.aspx to protect user's attack.
But, I had result what I did not want as following :
<p> Hello </p>
I wanted following result not above :
Hello
How can I show the text what user input?
Thanks in advance
The short answer is that HTMLEncode is making your markup show like that. If you don't HTMLEncode, it will do what you want.
You need to think about whether or not you need full control of markup, who is entering the markup, and if an alternative like BBCode is an option.
If your users using the editor are all sure to be 'safe' users, then XSS isn't likely to be as much a concern. However, if you are using this on a comment field, then BBCode, or something like SO itself uses is more appropriate.
You wont be able to use a WYSIWYG editor and do HTMLEncode though... (without BBCode, or some other token system)
It seems the user entered "<p> Hello </p>" (due to pressing Enter?) into the edit control, and it is displaying correct in the HTML as you have done an Html.Encode. E.g. the paragrahs are not rendered, they are outputted as "<p>..</p>" as the string is HTML encoded into something like "<p> Hello <p>".
If you do not want tags, I would suggest searching the text string for tags (things with <...>) and removing them from the inputted text. Do this before HTML.Encode.
...or am I missing something?
You can use HttpServerUtility.HtmlEncode(String)