I have a URL which is using an API key and driven and displayed as XML. I have attached a screen shot as to how the information is being displayed in a browser. However, I need it to look more user friendly. Is this possible at all? The information is the details of an address book from DotMailer.
I'm rubbish at coding so an idiots guide would be great! : )
Depending your knowledge, you have a lot of options, eg.:
using XSL in this or in this way, if you could not modify the XML (you should be able to put the stylesheet directive with the xsl file there to let the browser do the transformation), you can execute an XSLT in javascript
using javascript to parse the XML, and you can generate and add the HTML version to an output div
if your XML is generated at server side, you can use XSL too, or you can generate HTML at the server side using pure server side language (PHP, C#, Java, etc.), if you are a bit advanced, you can choose a template engine (smarty for PHP, T4 for C#, freemarker or velocity for Java, etc.), and go with it (the template engine can be an option at client side too), or you can stick at XSL, almost every server side language supports it.
Of course, you should create some CSS too to produce a nice output.
If you can provide some additional hint I can provide more accurate answer.
Related
I'm building a page in asp.net that will use tiny mce to provide a rich text editor on the page. Tiny mce outputs the rich text as html which I would like to save to a database. Then at a later date, I want to pull the HTML from the database and display it in a page.
I'm concerned about allowing malicious html, js tags into my database that would later be output.
Can someone walk me through at what point in my process I should html encode/decode etc. to prevent a persistent xss attack and or sql injection attack?
We use the Microsoft Web Protection Library to scrape out any potentially dangerous HTML on the way in. What I mean by "on the way in" - when the page is posted to the server, we scrub the HTML using MS WPL and take the results of that and throw that into the database. Don't even let any bad data get to your database, and you'll be safer for it. As far as encoding, you won't want to mess with HTML encoding/decoding - just take whatever is in your tinyMCE control, scrub it, and save it. Then on your display page, just write it out like it exists in your database into a literal control or something like that, and you should be good.
I believe Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(input) will do exactly what you want here.
Are these admins that are using the RTE? If so, I wouldn't worry about it.
If not, then I don't recommend using a WYSIWYIG such as TinyMCE. You'll have to actually look for malicious input, and chances are, you will miss some. Since the RTE outputs plain HTML, which I assume you want, you can't just convert HTML entities. That would kind of eliminate the whole point of using TinyMCE.
Stopping SQL injection is done in the backend when inserting the data into the database. You will want to use a parametrized query or escape the input (not sure how in ASP.NET, I'm a PHP guy.)
Couldn't you use a rich text editor that uses BBCode and on the server, escape everything that needs to be escaped and convert BBCode to HTML markup afterwards?
You could also, instead of producing BBCode on the client, convert the HTML markup to BBCode on the server, escape the remaining HTML and convert the result from BBCode back to HTML.
There are two approaches, you will probably use the first one
1) you will make a list of permitted tags and escape/strip rest of them. TinyMCE has probably some feature to disallow user to use some tags..(vut this is only client side, you should validate it on server)
2) you will encode permitted tags differently ([b]bold[/b]), than you could save everything to DB and while rendering escape everything and than interpret your special tags
Third approach: if the user is admin (the one who should know whats is he doing), than you can leave everyhing without escaping...he is the responsible one for his own mistakes....
I want to give end users the ability to save HTML to my backend store. Since this feature could easily cause SQL Injection, and loads of other issues, does anyone know of a server side library that will clean the input so only the "safe" parts of HTML can be used?
Some things I'd like to avoid:
Object Tag use
JavaScript use
Windows "style" pop-up boxes (such as your PC is infected with a virus)
CSS with a Javascript action
inline data from external sites
Since there is a 100% guarantee that I didn't come up with all the ways a user could be malicious with this feature, I'd like to learn what options I have to clean the data, but preserve basic formatting
Consider sanitizing user input with the Microsoft AntiXSS library.
http://wpl.codeplex.com/
http://msdn.microsoft.com/en-us/security/aa973814.aspx
I have been developing web apps for a while now and for the past year I have been really exploring as many technologies as possible. I know some people are creating pages using XML and XSLT or maybe css style sheets; however, it seems to me that the trends are still not moving in direction. Plus it seems less functional/easy than XHTML/CSS based pages.
What are the benefits of using XML/XSLT, and is it ideal to start developing in that manor? Is there anything else new that is pulling ahead of the pack in regards of front end web development?
The reason I am bringing this stuff up is because it seems that many people are switching from XML as a datasource to JSON, which makes more sense as a datasource; however, XML is still functional as a markup language...
And on that note, why would I even want to use XSLT vs CSS for the XML pages if i were to start develop that way. It seems to me that they serve the same purpose except that XSLT looks like tag soup.
I hope this question makes sense....
XSLT can be useful if you have an XML data source that needs transforming into HTML. Otherwise you should be using HTML, CSS and jQuery for front-end development.
Right now, there is no reason to use XSLT at all. It's virtually incomprehensible compared to XML/XHTML, and offers no real advantage for you or your users.
As for using XML in lieu of (X)HTML, with the growing acceptance of the emerging HTML5 standard, I can't see why you'd give up canvas and the (eventually, they'll be good!) audio capabilities for XML. Even now, XML is nice for marking up documents, but for marking up a webpage, HTML is king – it's essentially XML tailor-made for the web.
There is no antagonism between XML/XSLT and XHTML/CSS, these are complementary technologies. Thus, in my web apps, XHTML pages are produced by mean of XML/XSLT (transformation occurs in client side).
You'd use XSLT to transform some XML document into XHTML. Then you'd use CSS to style the XHTML.
XSLT is for transformation of one XML format into another. The data stays the same, but the representation changes. There is even XSLT-FO, which transforms XML into other objects, like pdf.
Also note, XSLT can be used client-, or serverside. You can do XSLT transformation in the browser or with a simple handler on the server. Java-based nonsql data stores like existdb use XQUERY to transform database entries with XSLT to any other XML format, including XHTML.
Using XSLT to generate XHTML from simple XML documents basically gives you a templating engine.
Since browsers still lack XFORMS support, you can use javascript+XSLT to transform XFORMS into valid HTML.
JSON is used to serialize and deserialize objects and transport them, thus replacing XML as a transport format, more specifically as a AJAX query response, in rich internet applications.
I am currently updating a webpage that has some very simple data displayed in a 2xnumberOfEntries table. The original is hard-coded into html, which, as a programmer, I find to be annoying.
I decided that converting the data to a simple XML schema would be the best idea since I really have no need for the added features of a database.
I then learned XSLT and got a working stylesheet going that converts the XML into an html table and looks fine in the browser.
Q: How do I get this new table back into the original website in place of the original table? I have tried using an iFrame, but that's outdated and unfriendly.
Sub-question: There's really nothing holding me back from using ASP.NET (I am very familiar with it) except the cost of telling my client to make the necessary server changes. Is there a better way of solving this problem?
This particular article explains how to do it using JavaScript (no server side dependencies). Only caveat is, I'm not sure how this will behave on non Wintel platform. Never tested it there. Some browsers / environment might and might not implement it.
I'd rather do this on the server side still and inject it to a content placeholder / literal control (in ASP.NET) so not to depend on JavaScript on the client side.
Is there any easy web application or user control that allows math equations to be easily created and stored as a text string?
Update: An ASP.NET control would be ideal.
This may be a starting point: http://thornahawk.unitedti.org/equationeditor/equationeditor.php
There is no short answer to this but Wikipedia has very good coverage of your options including coverage on MathML (Math Markup Language)
They list a javascript library, ASCIIMathML, that works in both Mozilla (Firefox) and IE in conjunction with a display component MathPlayer.
Galwegian's suggestion doesn't actually do much in PHP, so turning it into an ASP.NET control shouldn't be too hard. The editor is all in Javascript, which you can of course reference from .NET. The PHP code just receives AJAX requests when you click Render Equation and passes them to codecogs.com to create the actual image.
You could either port that bit to .NET, or alternatively use jsMath to do the rendering. This isn't quite as pretty as an image rendered by LaTeX, but since it's Javascript you could probably have it constantly update the rendered equation as you edit rather than requiring a button to update it.