I have a web page with a read-only text box which shows some HTML code:
<input type="text" readonly="true" value="<table>...</table>"/>
There is also submit button, which causes page post back and XSS validation to trigger. I don't want to turn off XSS.
I also tried disabled="disabled", but then the user is not able to copy the text in the text box.
So I thought that using div and span which can give same look and feel would suffice and negate the need for turning off the validation. While trying this, I am struggling to restrict the string in one line. As in text box, it is a single row with column size and text is shown nicely, we can also copy text.
Is there a better solution for what I'm trying to do?
If I understand you correctly you're trying to show some example code in a web interface that is formatted for easy consumption by the end user.
As a general rule, you should wrap code snippets in <pre></pre> tags, I would then suggest having a go at using: http://alexgorbatchev.com/wiki/SyntaxHighlighter to format the code as if you were viewing in an IDE.
This will prevent you from having to turn of the XSS checker.
you could use <pre> tags
check this link
Related
I am using a Jupyter Notebook for an interactive coding demonstration. There is an exercises block where the user should enter their own code to try and solve a problem.
I now want to optionally give some further instructions, i.e. hints how to solve the problem, which should be hidden by default.
I found this answer, which links to this site here, using JavaScript in a raw nbconvert cell to hide output cells. However, this only seems to work for exported notebooks, while I want something in the notebook itself.
So I've tried adding similar JS into a Markdown cell, but that doesn't work because the JS gets sanitized away.
I'm not sure if CSS also gets sanitized, but raw HTML works. Is there a good way to create a hidden/folded text paragraph with something like "click here for further instructions" to show the text?
The best I could come up with so far was a title attribute to create a mouse-over text, unfortunately without further formatting:
<span title="Instruction text goes here">Mouse over for further instructions</span>
The <details> tag is pure HTML which does just that, and which does not get removed by the sanitizer. It can have a <summary> to describe the contents of the fold.
<details>
<summary>Click here for instructions</summary>
Instructions go here
</details>
See also: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/details
Given a simple text box in the form:
<input type="text" … >
Is there any way for the user to inject a line break?
I know that it is possible to fake a form using curl or other technology, so I’m not relying on this as a form of protection. It’s more a question on whether a user can do this simply.
Thanks
No, they can't enter a new line in a text input.
They can, however, replace the input with a textarea in their browser's DOM inspector or bypass the form entirely and send an HTTP request with whatever data they want in it.
I have a form with a text field that users input text into. They can use multiple lines, put in bold text, underlined text, etc., but the text, when saved to SQL Server doesn't have any formatting saved, just the text is saved. What is the best way to save the text with the HTML so that when it gets viewed by another user and pulled up from Sql Server the HTML is saved and the formatting is saved?
Ex.
hello
Paul
This would be saved as
helloPaul
you can't see it but there are bold and carriage return html tags rapped around the text
When receiving data from the user, on the server side code, use HTML encode to safely store the data:
var inputData = Server.HtmlEncode("<strong>some data input from user</strong>"); //insert your user input data variable here
Then when displaying the data in your cshtml page, decode the data to display it as the user entered it:
HttpUtility.HtmlDecode(saveUserDataFromDatabaseVariable);
All this is assuming you have a rich text editor being plugged into the input field. CKEditor and TinyMCE are good ones.
You can use a text editor. Take a look at CKEditor. It's free and easy to use :)
Can you post some code and more details?
I have had good success with CKEditor. It is customizable, and its content can easily be saved via postback to a standard asp:TextBox.
It is possible that the editor you are using is not actually updating the input/textarea that you are using, it may be cloning the text and drawing the formatting in an overlay. You can use developer tools, or javascript, to verify this by checking the value property of the input or textarea element. If it is being saved via AJAX or javascript the code may be using the textContent or innerText properties instead of innerHTML.
I used the richtexteditor dll that's free online. it gave me a wiziwig box that the user can edit texxt in.
I am looking for some guidance on how to save editing done using /wysihtml5.
I have googled using several different combinations of search terms but virtually all the hits I get are github. I have looked through the examples on that site but I can't find anything that explains how the changes can be saved once a user edits a page.
I do have some php and sql knowledge but would like some pointers to exactly what I need to do to get changes made using /wysihtml5 saved. The other instructions appear very comprehensive so I wonder why this aspect seems to be missing.
Can anyone help please?
Many thanks
Brenda
According to the editor's Getting Started page, it works by replacing a regular <textarea> with the rich editor:
wysihtml5 takes a textarea and transforms it into a rich text editor.
The textarea acts as a fallback for unsupported browsers (eg. IE < 8).
Make sure the textarea element has an id, so we can later access it
easily from javascript. The resulting rich text editor will much
behave and look like the textarea since behavior (placeholder,
autofocus, …) and css styles will be copied over.
Please note: The textarea will always hold the editor’s generated
markup. Therefore wysihtml5 integrates smoothly with forms.
So, the editor's content will always be available as the value of the textarea, and you can use it as you would with a regular form element (submit the form, or get the contents with JavaScript and send it to PHP using Ajax).
For example, consider you apply the editor to the following:
<form action="somescript.php" method="POST">
<textarea id="wysihtml5-textarea" name="wysihtml5-textarea"></textarea>
<input type="submit" value="Submit form">
</form>
If you submit the form by clicking the button, your php script will receive the contents on $_POST["wysihtml5-textarea"] (change the name of the textarea to set the desired key on $_POST).
If you want to get the value using JavaScript, select the <textarea> by ID, then access the element's value:
var textarea = document.getElementById("wysihtml5-textarea");
alert(textarea.value);
Then you can pass that value to PHP using Ajax if you want. The PHP/SQL implementation for actually saving the data is up to you, the editor's code just takes care of providing a rich text editor, and formatting features.
Note: I never used that editor, so my answer might be not be 100% accurate.
I have an HTML page which needs to display some HTML generated by the user on the Administration area (like a blog, for instance). The problem is that the user sometimes needs to copy-paste tables and other "garbage" content from Word/Excel to the WYSIWYG editor (that has the proper "paste from Word" function). This causes the resulting HTML code to be very dirty.
It wouldn't be a problem unless some of these pages are shown totally wrong: other divs AFTER user's HTML code are not in their supposed position, floats are not respected... etc...
I tried putting a div:
<div style="clear: both;"></div>
without success. I even tried with iFrames, but iFrames accept only external webpages (if applicable...).
The question is: is there any tag or method to put a part of an HTML code inside a webpage discarding all formatting AFTER this code?
Thank you.
To my knowledge, you simply want to end all divs. HTML is a very simple code, with very simple options. Your example doesn't work because HTML isn't that advances. You can either start a function <...> or end a function .
Ideally what you want is a piece of code that puts their work in a separate frame entirely, so as soon as the page passes their code, it goes back to the correct formatting.
Or, you could be really sloppy and put one hundred 's in, just in case.