I want to provide html email function in my application. But I don't know how to get html code from the text like
<br /> <b>,
etc. My application will provide user friendly user interface to let users to enter subject, email body and select attachment. The development environment is asp.net/c#. I use System.Net.Mail class to do email sending. I know I can write html email by using IsBodyHtml property, but how to get the html from the user interface?Does anyone have a solution?
Have you looked into the HTML Editor control provided by the ASP.Net AJAX Control Toolkit? It is probably the easiest route to give the editor a friendly interface to generate "rich text" with and for you to grab the underlying HTMl that generated it.
There are also numerous jQuery plugins available if you wish to go that route.
In fact, this is quite simple, I'd recommend you use some WYSIWYG Html Editor (or google "html editor for c#").
Basically, it writes html and javascript, for the textBox work as html editor, pretty the same when we are writing our questions and answer here in SO.
Have you looked for a Rich Text Editor that you can use for your users to enter their message (body)?
They usually have a function to get the HTML output of the text entered.
Related
I've have a text editor in a web application similar to what we have here in StackOverflow. It returns text as HTML (Bold is etc). What a user enters in that editor then should be sent to JIRA with the correct styling. However, I couldn't find anything in .NET that is going to help me achieve this and I couldn't make a simple find and replace strategy work for
<ol> <li> or <ul> <li>.
Link for the formatting that I need to follow when sending to JIRA's API
https://jira.atlassian.com/secure/WikiRendererHelpAction.jspa?section=all
I want to create an Asp.net Website and I want to prevent Cross Site Scripting. I have a page with Summernote (a WYSIWYG HTML Editor), which, when submittet, posts HTML Code to MVC ActionResult via form or Ajax Post.
This Method saves this Code in my Database as content/body of a message. On another Site, you can display the content, which shows formating things like Lists etc.
Because of security reasons i want to filter the content i recieve from client. I am using the AntiXSS Library from Microsoft.
A part of my MVC Code:
[ValidateInput(false), HttpPost, ValidateAntiForgeryToken]
public ActionResult CreateMessage(string subject, string body)
{
var cleanBody = Sanitizer.GetSafeHtmlFragment(body);
//do the Database thing here
}
The major problem is, that it kills my HTML Elements with tag, because it removes the src=""
should be:
<p><img src="data:image/png;base64,some/ultra/long/picture/code/here" data-filename="grafik.png"></p>
remaining:
<p><img src="" alt=""><img src=""></p>
What can i do to prevent this?
Is there a way to add an exception rule?
Is there an another better way?
How does it work?
Thanks for help!
There is no such thing anymore as the "AntiXSS Library". It used to be a separate library, but Microsoft moved it into .Net, so it's now under System.Web.Security.AntiXss.
The reason this is important is that you need a sanitizer. The way you are using AntiXss currently will take a list of html tags and a list of attributes to those tags, and will remove everything else from your html code. That's not very good for you, because you only want to remove javascript, regardless of tags or attributes. Let's take for example <a>, with its href attribute. You most probably want to allow your users to insert links, but you don't want them to be able to insert javascript via <a href="javascript: ...">. So you cannot filter out href for <a>, but if you leave it, your page will be vulnerable to XSS.
So you want a sanitizer that only removes javascript. In the original AntiXSS library there was a sanitizer, but when Microsoft moved it to .Net, the sanitizer was left out.
So in short, AntiXss will not help you with your current usecase.
You can find proper html sanitizers like for example Google Caja (client-side sanitizer here), or many others. The point is, even if this sanitizer is in javascript (on the client), if you carefully don't insert your data into the page DOM before sanitizing it, it will all be fine.
So in short, you could just save any data from the HTML editor to your database as is without any transformation (mind sql injection of course, but current data access technologies should have that covered), and then when such data is displayed, send it to the client without adding it to the page dom (like as json data for example, but properly encoded for json then of course!), then run your sanitizer that will remove any javascript, and then add it to the page.
The reason this is very good is because your wysiwyg html editor will likely have a preview screen. Don't forget to add sanitization to previews as well, otherwise the preview will be vulnerable to XSS. If sanitization was on the server, you would have to send the editor contents to the server, sanitize it and send it back to your user for preview - not very user-friendly.
Also note that many wysiwyg editors support hooking into their rendering and adding such a sanitizer. If an editor does not support this and does not have its own sanitizer, that cannot be made secure with regard to XSS.
I have HTML generated on a form. If you click a button, the HTML is generated and is currently placed in a ASP Textbox with just the text
<!doctype html><html>....</html>
and I want to automatically print this HTML (including the styling that is only for the generated body).
How can I do this?
To print your code you need to do several things
Tell the browser what to print, here's a few ideas, or create a new window with only the stuff to print.
Find a way to show the plain code, like using <pre> tags or the mentioned CodeMirror
Launch the print dialog, a simple javascript basically something like window.print()
There will be no automatic printing (unless you target IE with some black magic) as that would be insane to allow on the web.
I hope I understand your question correctly. CodeMirror is the one you might want to try. It displays and formats HTML text with colors.
http://codemirror.net/mode/htmlmixed/index.html
You will need to trigger the print request using Javascript, but you can set this off using C# (look at the ClientScriptManager for usage).
The window.print() function is what you need.
You will presumably want to restrict what you print, take a look at this SO post for ideas.
I need my .NET desktop app to be able to send various HTML mails, allowing users to create custom templates, including images and possibly CSS style (if they copy/paste the HTML from other sources).
From what I've been reading, it's not that simple:
Images need to be embedded and their links replaced with content IDs
CSS styles containing images also need to be fixed
Background color/image won't work, it's better to wrap the mail in a table and apply the CSS to it
SMTP servers can interpret lines starting with a dot as "end of transmission", so at least a space must be added to all such lines
Who knows what else
My questions are:
Is there anything else I should take care of?
Is there a library which already does this so that I don't reinvent?
One thing I can think of, make use of Alternate views for those recipients whose mail clients can't/won't accept HTML emails (or they've got it turned off). That way they'll get a plain text version, in which you could include a link to an html version live on the web if they decide want to view it.
I have also heard that not including a plain text version increases your likelyhood of being marked as spam - this is due to the fact that many mail filters compare the plain text and html versions of a message; if they differ too wildly it's not a good sign for you :-)
Other spam indicators include html messages which have more pictures than text, and generally sloppy html - broken css, bad links, missing tags etc - consider using some sort of markup validator before sending.
I have found the following CodeProject article, which describes how to embed various image resources into the mail:
Sending the contents of a webpage with images as an HTML mail.
It has some useful examples, although it doesn't seem to include an alternate plain text view, so I will have to add that.
It's still a pity that no-one has put together a library which does this stuff automatically.
I have make a messaging system in which user can send messages to each other, they can also send files as attachement in message(its like simple email system). It allows users to send HTML characters and they'll render by browser, for eg if they enter
<b>Hello</b>
it'll rendered as
Hello
Its working fine,however i am facing one problem if user enter
<iframe src="anywebsite"><iframe>
theny it'll also rendered by browser.
How can i allow only some particular characters to be rendered by browser rest will display as normal text
I am using Asp.net MVC3
In my model class i've add
[AllowHtml] attribute to allow HTML characters
You could use the AntiXss library:
For example:
#Html.Raw(Sanitizer.GetSafeHtmlFragment("<b>Hello</b>"))
#Html.Raw(Sanitizer.GetSafeHtmlFragment("<iframe src=\"anywebsite\"><iframe>"))
The first will render the Hello text in bold whereas the second won't render anything as it is not considered safe.
You could also checkout the AntiSamy project.