When to encode as HTML in Grails - html

I often see Grails sample code where the programmer has called a method called encodeAsHTML(). I figure I should probably use this in my Grails applications (for security reasons, I assume?), but I was wondering when I should use this method. What objects/properties/etc. are candidates for the encodeAsHTML() method?
Thank you!

Use encodeAsHTML() (or encodeAsJavaScript, etc) for everything that you've got from user. For every string that could be modified by user (got from input form, from request parameter, from external API call, etc)
See also:
https://en.wikipedia.org/wiki/Cross-site_scripting
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

I am not sure when this was introduced to Grails, but if in Config.groovy you set grails.views.default.codec="html" then encodeAsHTML() is called whenever you use ${} in GSPs.
Source: http://alwaysthecritic.typepad.com/atc/2010/06/grails-gsp-html-escaping-confusion.html

Related

Library class doesn't know of ConfigureWebHostDefaults extension method

I'm building a suite of REST micro-services using .Net Core 3.0 Preview 6. All these services will have the same start up logic. So, I'm trying to place all the code in a .Net Standard library.
The goal is to have the IHostBuilder:CreateHostBuilder method, as well as the Startup:Configure and Startup:ConfigureServices class and methods in the library. The library will also contain error handling logic, customized http response messages, etc.
However, I can't seem to find the correct package that contains the ConfigureWebHostDefaults method. I tried adding the Microsoft.AspNetCore package 2.2.0, but that didn't resolve the issue.
I added the Microsoft.Extensions.Hosting (3.0.0-preview-6) package, that also doesn't resolve the issue.
Is what I'm attempting even possible?
Thanks
-marc
I resolved it, not the best way, but it works. I decided to make the library targeted specifically for .NET Core 3.0. So, I changed the targetframework in the project file. That change automatically resolved my other issue.
Import the Microsoft.AspNetCore package, and use WebHost.CreateDefaultBuilder() instead. According to the code it is built from, both CreateDefaultBuilder() and ConfigureWebHostDefaults() call the same internal method: ConfigureWebDefaults().
The only downside of this is that the returned host will be an IWebHost instead of an IHost.

Is there a way to force the UWP RichEditBox use only UTF encoding when the user types?

I am trying to convert the contents of a UWP RichEditBox to HTML.
For that purpose, I've tried using the RtfPipe library (https://github.com/erdomke/RtfPipe). From the looks of it, this library has a problem on UWP, due to the fact that not all encodings are defined on that target framework. (This is the error you get, if you are interested: Encoding.GetEncoding can't work in UWP app, but the accepted answer seems not to be the best option on all platforms - I haven't even managed to make the suggested fix compile, so it might not be valid anymore)
Now, as a way of avoiding this from happening, I am wondering whether there is a way to force the control to always use one of the UWP-defined UTF-variants for encoding the data when the user types his text.
Because, now, when I type into it, I get things like that:
{\rtf1\fbidis\ansi\ansicpg1253\deff0\nouicompat\deflang1032{
....
\pard\tx720\cf1\f0\fs23\lang1033
...that make the library throw exceptions.
I guess, if I manage to make it not use ASCII code pages, things will be great.
After taking a look at the control properties though, I do not see something I could use. Is there any way to achieve this?
This is the error you get, if you are interested: Encoding.GetEncoding can't work in UWP app
As you described, there is an inner error thrown when using this package with UWP app. System.ArgumentException: 'Windows-1252' is not a supported encoding name, by testing on my side, which is thrown by the code line public static readonly Encoding AnsiEncoding = Encoding.GetEncoding("Windows-1252"); of RtfSpec.cs when UpdateEncoding.
It seems like Windows-1252 may not be supported in UWP from the error details,also see this similar thread. You could use UTF instead as you want, for example, have a change on the library with following then it will work (testing demo here).
public static readonly Encoding AnsiEncoding = Encoding.UTF8;
I haven't even managed to make the suggested fix compile, so it might not be valid anymore
Encoding.RegisterProvider method should be work, but it only support UWP or .NET Framework 4.6, it does't support the Portable Class Library. The RtfPipe library you mentioned is Portable Class Library, so that you cannot use Encoding.RegisterProvider. Encoding.GetEncoding method supports Portable Class Library, details please check the version information of the two classed.
I guess, if I manage to make it not use ASCII code pages
RTF itself uses the ANSI, PC-8, Macintosh, or IBM PC character set to control the representation and formatting of a document, you may not able to change that. Consider to update the library to resolve the issue for UWP.

How do I make an Storyblok-API call with multiple parameters incl. "filter_by"?

So far I have seen, the API allows me to add certain parameters to my calls such as filter_by and sort_by.
This works well for me, but I would like to know how do I use multiple parameters at the same time and using the filter_by parameter.
Currently, I am working with the Silex-Boilerplate, which offers me this function:
options('{"sort_by":"name:asc","is_startpage":false}')
I have tried to pass this JSON as options-parameter:
'{"filter_by":"{"component":"reference"}", "sort_by":"name:asc"}'
But it doesn't seem to work. Are there any suggestions about how the JSON could look like?
Thanks in advance!
As I can see you're already using the options Twig helper which is the right way to go.
options('{"sort_by":"name:asc","is_startpage":false}')
you can use the filter_by parameter directly using this syntax:
options('{"sort_by":"name:asc","filter_by[component]":"reference"}')
Also this syntax would be possible:
getStories('starts_with', 1, 10, 'name:ASC', options('{"filter_by":{"component":"reference"}}'))
this will be mapped directly for the API call by our PHP Client Library. Those requests are also cached in your Silex Boilerplate without any extra effort.

Angular - building a "public" function (newbie)

I'm After several days learning angularJS through converting my standart JS app to a ng one.
I was wondering about this simple scenario:
I have a global function called fb_connect(),
it can be used from any page (or any controller if you like) to make a facebook-based login.
This function makes a simple http call and receives a JSON object contain data to move on (display a pop up, login, etc...)
I read that I can define a Factory or a Service for my app and use it in any controller, which works fine.
So, I created a fb_connect factory function.
The problem is that now, in every page (every controller), I have to define that fb_connect in the constructor of every controller - for example :
function welcome($scope,fb_connect){});
What is the proper way to do this kind of actions using Angular without having to define these functions each and every time in every controller?
Thanks
Setting up factories and services is all part of the dependency injection system of Angular. Using that system is great when you need to create things that depend on other injected things. It's a big tree of dependencies. It's also nice for creating singletons, such that everywhere in your code end up using the same instance of some object.
It sounds to me like neither of these benefits apply in your case. I'd suggest just not using Angular's DI for it. You have some function defined globally, just call it directly and skip the DI. There's nothing wrong with that.
Of course you say it makes an Ajax call, so doesn't depend on the Angular $http service?
Your two options are:
Declare the function on the $rootScope
Inject it as a service
My advice is to go with making it a service. The whole purpose of services is explained in the Angular.js docs, just like this quote:
Angular services are singletons that carry out specific tasks common to web apps... To use an Angular service, you identify it as a dependency for the dependent (a controller, or another service) that depends on the service.
As you mentioned in your question, you'd prefer to not define the service in every controller you wish to use it in. With $rootScope you'll be injecting that also in every controller. So really it's a question of which you prefer, although to answer your question, the proper way of using a factory or service is to inject it into the controller you wish to use it in.
You can always put it in the $rootScope
myApp.run(function($rootScope, fb_connect){
$rootScope.welcome = function(){
};
});

best way to fix inspection for soapclients in phpstorm

I'm using PHPStorm v3 and have some code which connects to a certain SOAP service. (via a simple PHP SoapClient) No problems whatsoever. But the PHPStorm inspector cant find the methods available of the WSDL and thus cant recognize the used methods:
$this->soap = new SoapClient('somewsdl url');
$issues = $this->soap->getIssuesFromJqlSearch($this->auth,
'ticketId = '.$ticket->getId().'
AND impId ~ "'.$currentImplementation->getIdentifier().'"', 1);
Everything works but the method 'getIssuesFromJqlSearch' which is provided by the external WSDL is highlighted with the mentioning of an undefined method... How can i 'tell' PHPStorm what should/could be used (or explain how to parse the WSDL?)
You can suppress the inspection for this statement from the Alt+Enter, right arrow menu:
This is not perfect, since it does not parse the WSDL and you have to do it manually, but works fine after the initial setup.
Create a class extending the native SoapClient and use annotations to add virtual methods:
/**
* #method mixed getIssuesFromJqlSearch
**/
class VendorSpecific extends \SoapClient {}
Or you could generate such client yourself, implementing all the methods as a proxy to self::__soapCall(). See my SoapClient generator for reference. The upside is that it can parse the WSDL, though not perfectly.