Is there some function for checking is any html page is valid?
10x
Related
In some part of my .cshtml file, I should render Html that users entered with Html-Editor.
My code is :
<div id="description">
#Html.Raw(Model.Html)
<div>
but #Html.Raw() is not safe from XSS Attacks for example if user's entered Html content was something like this :
"<script>alert('XSS attack!')</script>"
this script run after entering this page!
how can I prevent from running these scripts(in general XSS attack) while rendering Html ?
You can encode the HTML before rendering it:
#Html.Raw(Html.Encode(Model.Html))
But this is the same as rendering it using:
#Model.Html
If you render the HTML, use view source, or your browser's inspector, and copy the generated script tag, you'll see it's been encoded:
<script>alert('XSS attack!')</script>
But I personally prefer using the combination of Html.Raw and Html.Encode because it makes it clearer to the reader what the intent is.
I have a main page via a div. Many page are load into div via "load" function in jQuery.
When page loaded all script in head of page is load.
Is there a way to prevent scripts from being reloaded when the script is already loaded?
(Disclaimer: this architecture is wrong and should not be used. My response is only to address the OP's specific problem)
Try wrapping the head area of your pages in an if statement, which checks whether the request is ajax or not:
<%if(!Request.IsAjaxRequest){%>
<head>
...
</head>
<%}%>
Update
In response to OP's comment - Add a querystring parameter to every ajax request that happens after the first one. Use some JavaScript for that. Then change the if statement to check for that parameter:
<%if(String.IsNullOrEmpty(Request.QueryString["secondTime"]){%>
<head>
...
</head>
<%}%>
I have some pages in my mobile web app based on jQuery Mobile that need to be accessible without authentication and some only after user has been authenticated. My solution is based on this tutorial: Java Servlet Filter Example Tutorial.
I have done #WebFilter which checks to which page user tries to access and if he isn't authenticated (session not created or there isn't attribute user inside the session) he's being redirected to login.html page.
This is relevant code from my login.html page:
<form action="LoginServlet" method="post">
...
input elements for username and password
...
</form>
Form submitting its data to LoginServlet. LoginServlet checks that credentials are correct and if they're correct, redirect it back to the required page. Currently I store required page in the session (it's better to store this in a hidden element inside the form, but I didn't know it when I was writing the code)
I perform redirect from LoginServlet by using this line of code:
response.sendRedirect(redirectToPage);
All pages in my project are simple *.html pages with javascript, I make a mobile web app by using jQuery Mobile.
My problem that after redirect to required page:
It the address bar I see name of the my servlet, LoginServlet while in a console of Chrome I didn't see content of my page, only the name of my servlet, LoginServlet and its content is a blank. But inside the browser I see all static content, it's rendered correctly.
The most important problem that all my dynamic content in a loaded page doesn't work. Dynamic content I mean a few ajax function which should be invoked upon page loading and render dynamic content:
$(document).on('pagebeforeshow',function(){
initPage();
});
If I reload page everything begins to work as it should.
What am I doing wrong?
Thank you in advance.
There are actually a two solutions for this problem.
The first one is to perform redirect in javascript not in servlet, and I think that it's preferable solution, for more details look here: How to manage a redirect request after a jQuery Ajax call
And second solution if you required to do it from servlet after submitting a <form/>, is to add data-ajax="false" into the <form/> tag:
<form action="postthis" method="post" data-ajax="false">, this solution is taken from here: https://stackoverflow.com/a/8631895/947111
I have a basic form for submission in a detailview aspx page.
On of my textareas contains html code <br>. Whenever I try to do an insert, it fails, and I get a generic:
The status code returned from the server is 500
I know the issue is the html code offending <br> because when removed, it inserts fine.
Is there a setting for the templateview for this field to allow html tags be allowed on the insertion?
Any pointers appreciated!
Any HTML in a textbox in asp.net web forms (assuming web forms) will cause this error. You need to encode it in JavaScript, set the ValidateRequest property on the #Page attribute to false, or use some other utility (there are some out there, don't know of a specific one, maybe the HTML agility pack?).
In your Page Declaration ensure that ValidateRequest="false"...beware, this opens you up to XSS, Cross Site Scripting.
Ensure theat you encode the Data from the textarea before sending it to your Database, then when you return it to display, you'll Decode it.
From Microsoft.
**Encode Output
Use the HttpUtility.HtmlEncode method to encode output if it contains input from the user or from other sources such as databases. HtmlEncode replaces characters that have special meaning in HTML-to-HTML variables that represent those characters. For example, < is replaced with < and " is replaced with ". Encoded data does not cause the browser to execute code. Instead, the data is rendered as harmless HTML.
Similarly, use HttpUtility.UrlEncode to encode output URLs if they are constructed from input.**
http://msdn.microsoft.com/en-us/library/ff649310.aspx
Some users who navigate to my page do so via an url like this : http://domain/ProductDetail.aspx?Productid=123#Pricing
In this section is a asp:button to make a purchase. This button cause a postback, and when the page rerendering in the broswer the FragmentIdentifier #Pricing is still in the address window.
This is causing problems because there is new content rendered on the page which isn't visible if the browser navigates to the #Pricing section.
How do I prevent the FragmentIdentifier on postback?
Clarification:
It appears that this problem happens in Chrome but does not happen in IE8 or FireFox. Chrome holds on to the #FragmentIdentifier after postback even those there is no reference to it in the action attribute.
You can't, browser doesn't send it:
When a URI reference is used to perform a retrieval action on the
identified resource, the optional fragment identifier, separated from
the URI by a crosshatch ("#") character, consists of additional
reference information to be interpreted by the user agent after the
retrieval action has been successfully completed. As such, it is not
part of a URI, but is often used in conjunction with a URI.
How to get Url Hash (#) from server side
Browsers don't send URL fragments on the server side. You can't modify them the only option you can try is URL rewrite, if that helps. good luck...
The ASP.NET engine will cause a simple submit without any given URL, so the browser is forced to take the URL of the current page.
You can get rid of the hash after the postback by hooking a self executing javascript into the HTML that will replace the hash to an empty string.
Here is an example:
if(this.Page.IsPostback)
{
this.Page.ClientScript.RegisterStartupScript(this.GetType(), "RemoveHash", "window.location.hash=''", true);
}
You can force the browser to get rid of the # tag by redirecting to the same page.