I am trying to display an html email in a webpage using caja. I am loading it like this:
caja.load(document.getElementById('messagebox'), undefined, function(frame) {
frame.code(contentUrl, 'text/html').run();
});
When it renders, all anchor href and image src tags are stripped. So you cannot see images or click links. I am guessing this is the default behaviour to prevent attacks.
Is there a way to allow the html to be rendered as intended, displaying all images and having clickable links?
just starting using caja today and the links to api docs go to 404 so cannot find the info.
Thanks
Use this policy caja.policy.net.ALL instead of undefined when you call load
Related
I have an Asp.Net Core 3.1 razor page app. I'm receiving HTML content from user and that will be displayed back in the browser. It's kind of blog like app where my end user will be given a WYSIWYG editor and then the HTML from user will be encoded and saved in database.
Now when the blog page is requested, I need to decode the HTML content back and display in browser. This make my site vulnerable to XSS attack.
Here is my HTML from user,
<p>blog 5</p><script>alert()</script>
I encode this and save in database,
<p>blog 5</p><script>alert()</script>
Now to render the same,
#Html.Raw(System.Net.WebUtility.HtmlDecode(Model.Blog.Content))
When the page gets rendered it shows javascript alert() box.
if I don`t decode then html string is displayed,
#Html.Raw(Model.Blog.Content)
as shown below,
<p>blog 5</p><script>alert()</script>
I'm confused. Am I doing something wrong here? Please assist and correct me. I need the html to be safe and also it has to display as html in browser than as html string output.
I would recommend using an HTML sanitizer library. One of the more popular ones for .NET is:
https://github.com/mganss/HtmlSanitizer
It is available on Nuget:
https://www.nuget.org/packages/HtmlSanitizer/
This will allow you to whitelist the tags that you want to allow. See the wiki for additional documentation and examples.
I am trying to load a page on my site into a prettyPhoto lightbox via a click on an anchor tag. What happens is that it looks like the lightbox begins to load, and it fetches the correct content, but instead of it loading the content in the lightbox, it over writes the whole page.
I tried to load external content in an iframe as well by trying the following:
TEST
It brings me to google, moving me away from my site and not loading it into an iframe.
Has anyone had similar problems with this? I am using sitecore 6.5.
I am doing a project in Django and i want to have some google maps displayed in my site. So, i installed django-easy-maps and successfully used it in a sample template. So, i am ready with my maps.
The interface i want to implement is this
http://i49.tinypic.com/sowm74.png
I want to display the maps where the Hellow World! container is and with different links on the sidebar i want to refresh the map being displayed on user click without reloading the page.
I did some researching and it seems Ajax is the solution...
Can anybody tell me how i might achieve this (with or without Ajax ) ?
Sorry for sounding like a noob but i am fairly new to this.
The basic steps are:
Create a view for the Google Maps section to the right. This view does not return a full HTML page but only the HTML for that section (which contains your Google Maps map).
When the user clicks on a link on the left, use JavaScript to perform an ajax call to request that page. In short this means: attach an event handler to the onclick event of those links and in code you can perform an ajax call .Many people use a JavaScript library for this purpose, such as jQuery (which has $.ajax()).
You can then use JavaScript to put the received HTML inside the container on the right (using $.html()).
I am using facebook "like" as a iframe on my site. The data that the facebook button scraps from my sites url is not correct. How can we customize this data being sent or scraped?
i.e. I am using django, and hence have a base.html which has the meta tags of facebook. This base.html is extented throughout the site.
Now I cant understand how to customize these meta tags for each individual page that my site has.
Is there a way to give these attributes in the iframe itself ?
Is the question clear ? else please comment i will make the necessary changes.
Do you mean the open graph meta tags?
http://ogp.me/
I don't think it's valid to add meta tags anywhere in a page (i.e. outside the head tag) in order to customise their contents on each of your pages but I think it's valid in html 5 to have meta tags outside the head tag so I would suggest trying it first and then if you're able to, try and set it up so that in your base.html the meta tags are holding a variable and then on each of your pages that use the base.html you can specify the value of the variable on the individual page.
I have a client with a "Directions" page in their website and they wanted to add a Google map to the page, so they went to maps and put in their location and then used the "embed" link to get the html for the iframe. They then opened up the Flatpage for "Directions" page in the admin and went to html mode in TinyMCE and then pasted in the code, but as soon as they save the code is gone and there is no map, just the div tags that surrounded the iframe are left.
I have tried Googling and I have repeated the process myself but no success, does anyone know if you are just not allowed to insert iframe html into the body of a Flatpage in django?
Unless you've added some kind of additional validation/cleaning, flatpages would not remove anything from the content. Have you tried without TinyMCE?
update: The point isn't that you'd leave TinyMCE disabled; the point is to narrow down where the problem is, so you can actually fix it. And I'm almost certain the problem here is TinyMCE, not Django.
I would suspect that tiny-mce is garbling something up. I'd try to disable tinymce and see if you have the same problem. Also, make sure you're using the 'safe' filter on the text in the templates. Otherwise Django will escape all the HTML.