I've have a text editor in a web application similar to what we have here in StackOverflow. It returns text as HTML (Bold is etc). What a user enters in that editor then should be sent to JIRA with the correct styling. However, I couldn't find anything in .NET that is going to help me achieve this and I couldn't make a simple find and replace strategy work for
<ol> <li> or <ul> <li>.
Link for the formatting that I need to follow when sending to JIRA's API
https://jira.atlassian.com/secure/WikiRendererHelpAction.jspa?section=all
Related
I want to create an Asp.net Website and I want to prevent Cross Site Scripting. I have a page with Summernote (a WYSIWYG HTML Editor), which, when submittet, posts HTML Code to MVC ActionResult via form or Ajax Post.
This Method saves this Code in my Database as content/body of a message. On another Site, you can display the content, which shows formating things like Lists etc.
Because of security reasons i want to filter the content i recieve from client. I am using the AntiXSS Library from Microsoft.
A part of my MVC Code:
[ValidateInput(false), HttpPost, ValidateAntiForgeryToken]
public ActionResult CreateMessage(string subject, string body)
{
var cleanBody = Sanitizer.GetSafeHtmlFragment(body);
//do the Database thing here
}
The major problem is, that it kills my HTML Elements with tag, because it removes the src=""
should be:
<p><img src="data:image/png;base64,some/ultra/long/picture/code/here" data-filename="grafik.png"></p>
remaining:
<p><img src="" alt=""><img src=""></p>
What can i do to prevent this?
Is there a way to add an exception rule?
Is there an another better way?
How does it work?
Thanks for help!
There is no such thing anymore as the "AntiXSS Library". It used to be a separate library, but Microsoft moved it into .Net, so it's now under System.Web.Security.AntiXss.
The reason this is important is that you need a sanitizer. The way you are using AntiXss currently will take a list of html tags and a list of attributes to those tags, and will remove everything else from your html code. That's not very good for you, because you only want to remove javascript, regardless of tags or attributes. Let's take for example <a>, with its href attribute. You most probably want to allow your users to insert links, but you don't want them to be able to insert javascript via <a href="javascript: ...">. So you cannot filter out href for <a>, but if you leave it, your page will be vulnerable to XSS.
So you want a sanitizer that only removes javascript. In the original AntiXSS library there was a sanitizer, but when Microsoft moved it to .Net, the sanitizer was left out.
So in short, AntiXss will not help you with your current usecase.
You can find proper html sanitizers like for example Google Caja (client-side sanitizer here), or many others. The point is, even if this sanitizer is in javascript (on the client), if you carefully don't insert your data into the page DOM before sanitizing it, it will all be fine.
So in short, you could just save any data from the HTML editor to your database as is without any transformation (mind sql injection of course, but current data access technologies should have that covered), and then when such data is displayed, send it to the client without adding it to the page dom (like as json data for example, but properly encoded for json then of course!), then run your sanitizer that will remove any javascript, and then add it to the page.
The reason this is very good is because your wysiwyg html editor will likely have a preview screen. Don't forget to add sanitization to previews as well, otherwise the preview will be vulnerable to XSS. If sanitization was on the server, you would have to send the editor contents to the server, sanitize it and send it back to your user for preview - not very user-friendly.
Also note that many wysiwyg editors support hooking into their rendering and adding such a sanitizer. If an editor does not support this and does not have its own sanitizer, that cannot be made secure with regard to XSS.
I am currently using htmlAgilityPack for some web scraping, however I've encountered a website that has script tags and I am unable to load it for scraping. I have little experience with web and am unsure how to properly load the webpage and convert back to something htmlAgility can parse.
Pretty much, when I inspect element in chrome, there is a table, but the htmlAgilityPack reads a script tag.
Any help would be appreciated.
Thank you
I have had similar problems too. It is very annoying that their is not one unified method of doing on all websites in a C# console.
However depending on the site you are looking at there may be some information in meta tags in the head section of the html. When I was making an application to get Youtube Subscription count I found it had the count in a meta tag (I assume this information is here for the scripts to use). This may be similar for the web page you are scraping.
To do this I first added a
document.save(//put a link to where the html file needs to go)
then I opened the html document in Google Chrome, opened up dev tools and did a search for "Subscriptions" (You can replace this for whatever you are looking for). Hopefully depending on the website you are scraping there may be a tag with some info in it for you.
Good Luck! :)
I currently have an .net Mvc web project that displays comments that are submitted by users and are stored in a database.
I was wondering if anyone had any information on how to embed a link in the comment so that is can be clicked on and followed to the desired well link :)
I am aware that I can google this however with the language in this given question finding an answer on google has been quite basic and not too accurate.
Well you can store the comments as html in the database then display it using Html.Raw but that opens up many security flaws. The best option is to setup some custom tag to represent a link such as [url link="example.com]click here[/url] and then using a razor helper parse that and transform it into a html link.
I have make a messaging system in which user can send messages to each other, they can also send files as attachement in message(its like simple email system). It allows users to send HTML characters and they'll render by browser, for eg if they enter
<b>Hello</b>
it'll rendered as
Hello
Its working fine,however i am facing one problem if user enter
<iframe src="anywebsite"><iframe>
theny it'll also rendered by browser.
How can i allow only some particular characters to be rendered by browser rest will display as normal text
I am using Asp.net MVC3
In my model class i've add
[AllowHtml] attribute to allow HTML characters
You could use the AntiXss library:
For example:
#Html.Raw(Sanitizer.GetSafeHtmlFragment("<b>Hello</b>"))
#Html.Raw(Sanitizer.GetSafeHtmlFragment("<iframe src=\"anywebsite\"><iframe>"))
The first will render the Hello text in bold whereas the second won't render anything as it is not considered safe.
You could also checkout the AntiSamy project.
I want to provide html email function in my application. But I don't know how to get html code from the text like
<br /> <b>,
etc. My application will provide user friendly user interface to let users to enter subject, email body and select attachment. The development environment is asp.net/c#. I use System.Net.Mail class to do email sending. I know I can write html email by using IsBodyHtml property, but how to get the html from the user interface?Does anyone have a solution?
Have you looked into the HTML Editor control provided by the ASP.Net AJAX Control Toolkit? It is probably the easiest route to give the editor a friendly interface to generate "rich text" with and for you to grab the underlying HTMl that generated it.
There are also numerous jQuery plugins available if you wish to go that route.
In fact, this is quite simple, I'd recommend you use some WYSIWYG Html Editor (or google "html editor for c#").
Basically, it writes html and javascript, for the textBox work as html editor, pretty the same when we are writing our questions and answer here in SO.
Have you looked for a Rich Text Editor that you can use for your users to enter their message (body)?
They usually have a function to get the HTML output of the text entered.