I am working on a SpringBoot based MVC application which uses mongoDB to store the data. I am using thymeleaf as the template engine. In one of the scenarios, the user needs to fill a form which is then displayed on some view.
The problem I am facing is that the user can use html tags to format the data while writing in the textArea of the form (code snippets, tabular format etc). But when I am displaying that text, the html is not being parsed and is displayed as is.
For Ex: <b>String</b> should be displayed as String but is being displayed as <b>String</b> only. When I check the source code of the page, the html tags are displayed as encoded i.e. < is showing as < ; etc and hence the parsing is not happening.
Can someone please help
You can output unescaped text with th:utext. From the official turorial
If we want Thymeleaf to respect our XHTML tags and not escape them, we will have to use a different attribute: th:utext (for “unescaped text”):
<p th:utext="#{home.welcome}">Welcome to our grocery store!</p>
The tutorial assumes that home.welcome is a string with html-tags:
home.welcome=Welcome to our <b>fantastic</b> grocery store!.
It goes without saying that this needs very careful validation so that only safe (whatever safe is for the particular use case) HTML is stored into the database (and no possibly malicious code like <script/> tags).
Related
I have problem with read html code from database and displaying them.
It looks like this in my page:
And what I wanted it to look is:
I'm using TinyMCE to stored it into database with the code below:
teamContent.PageContent = WebUtility.HtmlEncode(edited_content); // edited_content is the html code I posted to controller to store.
_context.Update(teamContent);
_context.SaveChanges();
And then I decode the html code I stored using:
ViewBag.content = WebUtility.HtmlDecode(content);
ViewBag.content is passed from controller to view for displaying.
So what's the correct way to do this? Thanks
ViewBag.content is only capable of storing strings, so although you've decoded the content to be html it will be treated as a string when processed in the .cshtml.
The way to proceed is to tell .cshtml how to handle the ViewBag.content, and in this case we want it to be treated as raw html.
If you're using Razer you will use Html.Raw:
#Html.Raw(ViewBag.content)
Otherwise if not using Razer
<%= System.Web.HttpUtility.HtmlDecode(ViewBag.content) %>
Remember that if the content of what goes in to ViewBag.content is editable by the user that you're in dangerous territory and this is a security risk as the user can write malicious code to be executed on your site.
I'm currently working on a blog using Django and SQLite for the back end. In my setup, I stored my articles in the database in this sort of form:
<p> <strong>The Time/Money Tradeoff</strong> </p> <p> As we flesh out High Life, Low Price, you will notice that sometimes we will suggest deals and solutions that may cost slightly more than their alternatives. We won’t always suggest the cheapest laptop...
On the page itself, I have this code for where I use the session data:
<p>{{request.session.article.0.blog_article}}</p>
I had assumed that the web broswer would be able to read the HTML tags. However, it prints on the page in that form, with the visible <p> tags and the like. I think this is because it's stored as a Unicode string in the database and is put onto the page between two quotation marks. If I paste the HTML code onto the page, the format looks like I wanted it to look, but I want it to be an automated process (tell Django which article ID I want, it plugs the elements of the page into the template and everything looks great).
How can I get the stored article in a form where the page can see the HTML tags?
By default django would autoescape all strings in the template, so when you render html code in the template, they just show up as the literal html code. But you could use safe filter to turn this off:
<p>{{request.session.article.0.blog_article|safe}}</p>
Classic problem. Want to see html rendered but I'm seeing text in the browser. Whether I tell handlebars js to decode it or not in template ( three curly braces vs two - {{{myHtmlData}}} vs {{myHtmlData}} ) doesn't get me there. Something about the JSON being returned via the model.fetch() has this html data wrapped up in such a way that it is resistant to the notion of displaying as HTML. It's always considered a string whether encoded or decoded so it always displays as text.
Is this just something backbone isn't meant to do?
The technologies involved here are:
backbone.marionette
handlebars.js
.NET Web API
Your data is being escaped automatically. It's a good thing, but since you're sure the data is a safe HTML. Use {{{}}} as in this other question Insert html in a handlebar template without escaping .
my application was developed in asp.net mvc 4. we have list of jobs.
now we have allowed all special characters in job name, but
</ characters causes issue in creating <a> anchor tag. I have also tried to create anchor tag with these character on w3schools.com example. I noticed the same thing.
for example, job name => Test </ Test
but it will render ONLY "Test" NOT "Test </ Test".
We are creating this link in "fnRowCallback" using javascript as it is listing of jobs and for that we have used jquery datatable http://legacy.datatables.net/.
Please help me, how to prevent the characters using regular expression on JobName model property.
Thanks in advance.
If you mean for the display part of the anchor tag, everything should be fine - you should be getting ASP.NET MVC to perform any escaping required to represent your text properly in HTML, e.g. using #Html.AnchorLink(...). It's far better to be able to escape everything than to have to restrict your input :)
In general, raw data should never be written directly to the HTML - it can represent a huge security risk, for example. It should always be handled with the appropriate escaping, which should almost always be performed by the web presentation framework you're using rather than by any hand-crafted code.
I need to fix XSS issues in my application. Now I am new to JSON and XSS. I think of two ways attacks can happen - first is through html input controls (text boxe/area etc) or through request parameters which are visible in the url (GET). Please suggest if i am missing something here?
I am thinking to use AntiSamy (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project). I am thinking of creating a custom tag which would contain the value of html controls e.g.
<input type="text" NAME="name" value="<mytag:xssclean><c:out value= escapeXml="false"/></mytag:xssclean>
this tag class would actually use antisamy to scan the html content. will this take care of encoding any malicious javascript content entered into text box/area before sending those parameters to controller classes and then eventually to database? Or would it only encode the content which is coming from controller classes to get rendered on jsp?
Is this the right approach? When would i need to validate on the java side (controller classes by direct validation using antisamy) versus on jsp (with new tag)?
Additionally I have many jsp's which do not have direct form fields with html controls but their struture is created dynamically and jason string is given to the jsp. jsp would simply have : where 'value' would contain the final jason to be rendered on html (including html fields). Do we need to apply XSS solution using antisamy on jason strings or jason data is already safe from XSS attacks and the thing like are already present as text in jason? where should i resolve this issue for json cases?