I have an .cshtml page with the following HTML in it:
<div class="content rowBody">
<span class="rowText" title="#description">
#description
</span>
</div>
If the value of #description is: <img src=x onerror=alert(/XSS/.source)>
I see it showing up just like this in the title attribute and therefore executing, while the one in between the span tag appears to be encoded and does not trigger the alert box.
My assumption was that the Razor engine view attempts to encode anything preceded by the #. Does this not apply to HTML attributes?
Generated source:
<div style="margin-left: 31px;" class="content rowBody unselectable" unselectable="on">
<span class="rowText unselectable" title="<img src=x onerror=alert(/XSS/.source)>" unselectable="on">
<img src=x onerror=alert(/XSS/.source)>
</span>
</div>
It looks like what you're seeing here is different encoding based on the context. The required output encoding for HTML tags is different to HTML attributes as it is different for JavaScript and different again for CSS.
Having said that, I couldn't reproduce this behaviour with a clean MVC4 project. What version are you using?
Related
I am trying to center a code in markdown (used in JupyterLab). Here is the code I use
<div style="text-align:center"><span style="font-size:1em;">
`code template`
</span> </div>
But this code keeps showing ` at the beginning and end of this simple snippet. Any suggestion on solving this problem is appreciated
Markdown generally is not processed in HTML block-level elements like <div>s:
Note that Markdown formatting syntax is not processed within block-level HTML tags. E.g., you can’t use Markdown-style *emphasis* inside an HTML block.
But you can still use HTML:
<div style="text-align:center"><span style="font-size:1em;">
<code>code template</code>
</span> </div>
I'm trying to publish a piece of html to umbraco.
I managed to setup tinymce to accept all the html tags, however, there is still some wrong transformations being done.
When I publish this piece of html:
<div class="col-md-4">
<a href="" class="card-link">
<div class="panel panel-default">
<div class="panel-body">
<h2 class="card-link-title">Currencies</h2>
<i class="card-link-icon icon icon-money-currencies"></i>
</div>
</div>
</a>
</div>
It is transformed to:
<div class="col-md-4">
<div class="panel panel-default">
<div class="panel-body">
<h2 class="card-link-title">Currencies</h2>
<i class="card-link-icon icon icon-money-currencies"></i>
</div>
</div>
</div>
The a tag is removed. According to new html5 standards, div under a tag is valid (http://w3c.github.io/html-reference/a.html#a-changes), so I'm wondering if there's a way to make tinymce in umbraco accept the piece of html as it is
You need to edit the javascript in umbraco/lib/tinymce/tinymce.min.js. (The file mentioned by Jannik Anker in the other answer is a legacy version of tinymce, no longer used)
Look for a line
n("a","href target rel media hreflang type",u)
and try amending it to
n("a","href target rel media hreflang type",u,"div")
Make sure to clear your browser cache after editing so the updated file is used.
A quick look inside /umbraco_client/tinymce3/tiny_mce_src.js reveals a function named getHTML5() where these rules seem to be defined. In my 7.4.0 test site I'd change line 2507 to
'a[A|href|target|ping|rel|media|type][B][div]' +
BUT that's not really doing anything, even if you make the same change in /umbraco_client/tinymce3/tiny_mce.js, because the RTE editor is using a different JS entirely, namely /umbraco/lib/tinymce/tinymce.min.js in which I cannot find that same function :-s
I don't have time for much further investigation, but maybe this can get you a little bit further?
We have a button setup in our application that looks something similar to the following:
<div class="button" onMouseOver="this.className='buttonHover'" onMouseOut="this.className='button'">
<h2>Button Title</h2>
</div>
I'm trying to do the same thing with an a4j:commandLink tag, but it is not working properly. here is the code I wrote:
<div class="button" onMouseOver="this.className='buttonHover'" onMouseOut="this.className='button'">
<a4j:commandLink action="#{action.method}" id="buttonId">
<h2>Button Title</h2>
</a4j:commandLink>
</div>
The HTML that this renders is incorrect, and the <h2> tag ends up outside the <a> tag. Here is what is rendered:
<div class="button" onMouseOver="this.className='buttonHover'" onMouseOut="this.className='button'">
<h2>Button Title</h2>
<a name="myForm:buttonId" id="myForm:buttonId" onClick="A4J.AJAX.Submit........" href="#"></a>
</div>
The onclick is getting rendered correctly, and the link should work, but the h2 tag needs to go inside the a tag in order for the button to render correctly on screen.
The HTML that this renders is incorrect
JSF doesn't render it that way. It's the webbrowser itself who interpreted the obtained HTML markup that way. You most likely looked in HTML DOM inspector in webbrowser's web developer toolset as available via F12, instead of straight in the raw HTML source as available via rightclick, View Source.
As to the why the webbrowser interpreted it like that; having a block level element like <h2> nested in an inline element like <a> is invalid HTML. The webbrowser basically chokes on that and pushes the block level element outside any inline element in the HTML DOM tree.
Just swap them, and the browser will be happy.
<h2>
<a4j:commandLink value="Button Title" action="#{action.method}" id="buttonId" />
</h2>
I am using the code view of JCE editor to add a link around some text. Adding a link through the link functionality gives the same results. When I add the link and save and come back to the code, it has completely reformatted it. Thanks for any help!
Here are the things I have already done:
Turned off global text filtering already.
Global parameters for the editor set validate HTML to off.
In user profile validate HTML is set to off.
Turned off all the parameters on the plugin parameters for the source code editor.
Here is the code I enter and how it becomes reformatted by JCE Edit:
<!-- BEFORE -->
<a class="inline" href="#inline_content">
<div class="smallTile">
<img src="/image.jpg" />
<h4 class="upper">Title</h4>
<p>
Paragraph
</p>
</div>
</a>
<!-- AFTER -->
<a class="inline" href="#inline_content"></a>
<div class="smallTile">
<a class="inline" href="#inline_content">
<img src="/image.jpg" />
<h4 class="upper">Title</h4>
</a>
<p>
<a class="inline" href="#inline_content"></a>
Paragraph
</p>
</div>
I'm using Visual Studio 2012 for an MVC web app using code first method with EF 5.0.
I have written the following code to make a modal window appear at some point:
<div id="mod" style="display:none;">
<div id="mod-container">
<div id="mod-close"><img src="~/Content/icons/close.png" title="close" onclick="$('#mod').fadeOut();"/></div>
<div id="mod-content"></div>
</div>
</div>
If works fine, exept that the image <img src="~/Content/icons/close.png" [...] /> cannot be found by the browser which thinks its URL is
http://localhost:49895/Class1/Home/~/Content/icons/close.png
To be precise, every code under my div's got broken URL. If I put my image above the div's it's displaying correctly with the following URL:
http://localhost:49895/Content/icons/edit.png
Do you have an idea where i messed things up?
Edit2: example (after problem being resolved)
This works:
<img src="~/Content/icons/close.png" title="close" onclick="$('#mod').fadeOut();"/>
<!-- comment containing a quote ' -->
<div id="mod" style="display:none;">
<div id="mod-container">
<div id="mod-close"></div>
<div id="mod-content"></div>
</div>
</div>
This doesn't work:
<!-- comment containing a quote ' -->
<div id="mod" style="display:none;">
<div id="mod-container">
<div id="mod-close"></div>
<div id="mod-content"></div>
</div>
</div>
<img src="~/Content/icons/close.png" title="close" onclick="$('#mod').fadeOut();"/>
Could be a bug in the new Razor 2.0 tilde parsing, or you've mucked up your html by missing a quotation mark or something. Try using the more explicit way of resolving urls
<img src="#Url.Content("~/Content/icons/close.png")" />
If that works then it suggests a razor bug, if it doesn't then your html is probably broken somehow but the extra # symbol may be enough for the parser to kick in and tell you what is wrong.
~ is an asp code element, not HTML. As such it doesn't get rendered by the HTML.
Try wrapping your src with #Url.Content
<img src="#Url.Content("~/Content/icons/close.png")" />