I have an Asp.Net Core 3.1 razor page app. I'm receiving HTML content from user and that will be displayed back in the browser. It's kind of blog like app where my end user will be given a WYSIWYG editor and then the HTML from user will be encoded and saved in database.
Now when the blog page is requested, I need to decode the HTML content back and display in browser. This make my site vulnerable to XSS attack.
Here is my HTML from user,
<p>blog 5</p><script>alert()</script>
I encode this and save in database,
<p>blog 5</p><script>alert()</script>
Now to render the same,
#Html.Raw(System.Net.WebUtility.HtmlDecode(Model.Blog.Content))
When the page gets rendered it shows javascript alert() box.
if I don`t decode then html string is displayed,
#Html.Raw(Model.Blog.Content)
as shown below,
<p>blog 5</p><script>alert()</script>
I'm confused. Am I doing something wrong here? Please assist and correct me. I need the html to be safe and also it has to display as html in browser than as html string output.
I would recommend using an HTML sanitizer library. One of the more popular ones for .NET is:
https://github.com/mganss/HtmlSanitizer
It is available on Nuget:
https://www.nuget.org/packages/HtmlSanitizer/
This will allow you to whitelist the tags that you want to allow. See the wiki for additional documentation and examples.
Related
I know that Django has default config of SSR (server-side rendering) but all the articles I have gone through mention that the Django-forms are rendered on server side and then sent to the browser. No specific information on the use case when javascript is mixed in the template.
I want to know if I use jquery tables in my Django template. Does that still render on server side? If yes then how does it render Javascript/jquery on the server-side?
I'd be glad if someone corrects me if my question itself has invalid argument.
JavaScript is for browsers so it doesn't matter if you write it in your template or add a link to it. The only way to render JS on the server-side is to actually have an engine doing that for you which Django doesn't.
What Django's template engine does is it will render the template based on the tags and HTML you provided and sends a valid HTML to the user containing the js code or js files alongside CSS and then browser runs those js and CSS codes and renders the final webpage.
I am trying to display an html email in a webpage using caja. I am loading it like this:
caja.load(document.getElementById('messagebox'), undefined, function(frame) {
frame.code(contentUrl, 'text/html').run();
});
When it renders, all anchor href and image src tags are stripped. So you cannot see images or click links. I am guessing this is the default behaviour to prevent attacks.
Is there a way to allow the html to be rendered as intended, displaying all images and having clickable links?
just starting using caja today and the links to api docs go to 404 so cannot find the info.
Thanks
Use this policy caja.policy.net.ALL instead of undefined when you call load
We've got a WordPress site and I've built a page that pulls from different sections of our site which I'd like to use as the content for a bi-weekly MailChimp newsletter. Is there anyway to automate pulling in a div on our site into the body of a MailChimp template?
All the tools I've found pull in the page as "an article" and just put an image and headline into the message body, rather than the full page verbatim.
Not adverse to doing some coding, but not sure how to start.
Thanks for any suggestions.
I can think of two different routes you might be able to try. The first is to generate an RSS feed for the content you're talking about and then use an RSS Campaign to send the email. Depending on how you have this data stored on your site, WordPress might already be generating an RSS feed for you for that content.
The second option involves more coding. If you create a template with an editable section you can then pass in the content of that section via the API. This is probably harder, since the campaign content APIs are pretty convoluted in v2.0. v3.0 should make that easier, but it's still in beta.
Im working a newspaper, and I was wondering if its possible to display different categories from another Website, and display in my website. This site created by Joomla 2.5, I Hope someone understands this :)
Since your site is the Joomla one, you could either write a custom extension or more simply use the Jumi extension so you can write PHP code directly in the article or page on which you need to grab the content from the other site.
Then depending on what you know about the other site, there are different approaches. If it offers an API or RSS feed, you can use that to pull the content you need (and use PHP string functions for instance to modify it as you need). If the other site doesn't have an obvious way of offering content through a web service, try PHP curl, and again you can modify the content before displaying it. Check out this page too: How to parse actual HTML from page using CURL?
As Arunu said an iFrame could also work if you don't need to modify the other site's content.
What u wish to do can be accomplished using RSS feed or an i-frame.But from ur question
it's not clear which site is using joomla.
I have a client with a "Directions" page in their website and they wanted to add a Google map to the page, so they went to maps and put in their location and then used the "embed" link to get the html for the iframe. They then opened up the Flatpage for "Directions" page in the admin and went to html mode in TinyMCE and then pasted in the code, but as soon as they save the code is gone and there is no map, just the div tags that surrounded the iframe are left.
I have tried Googling and I have repeated the process myself but no success, does anyone know if you are just not allowed to insert iframe html into the body of a Flatpage in django?
Unless you've added some kind of additional validation/cleaning, flatpages would not remove anything from the content. Have you tried without TinyMCE?
update: The point isn't that you'd leave TinyMCE disabled; the point is to narrow down where the problem is, so you can actually fix it. And I'm almost certain the problem here is TinyMCE, not Django.
I would suspect that tiny-mce is garbling something up. I'd try to disable tinymce and see if you have the same problem. Also, make sure you're using the 'safe' filter on the text in the templates. Otherwise Django will escape all the HTML.