So I have a set of strings, with some "custom markdown" that I have created. My intention is to render these strings as HTML in the frontend. Let's say, I have this string:
This is a string <color>that I need</color> to\nrender <caution>safely in the browser</caution>. This is some trailing text
I would be expecting to get something like:
This is a string <span class="primaryColor">that I need</span> to<br>render <div class="caution">safely in the browser</div>. This is some trailing text
And the way I do it right now is with some basic Regex:
toHtml = text
.replace(/<color>(.*)<\/color>/gim, "<span class='primaryColor'>$1</span>")
.replace(/\\n/g, "<br>")
.replace(/<caution>(.*)<\/caution>/gims, "<div class='caution'>$1</div>")
This works fine and returns the correct string. And then for printing, in the template I just:
<div id="container" v-html="result"></div>
My problem is that at some point I expect users to be able to enter this strings themselves, and that would be displayed to other users too. So for sure, I am gonna be vulnerable to XSS attacks.
Is there any alternative I can use to avoid this? I have been looking at https://github.com/Vannsl/vue-3-sanitize which looks like a good way of just allowing the div, span and br tags that I am using, and set the allowed attributes to be only class for all the tags. Would this be safe enough? Is there something else I should do?
In that case, I believe it will not be necessary to sanitize it in the backend too, right? Meaning, there will be no way for the web browser to execut malicious code, even if the string in the server contains <script>malicious code</script>, right?
My problem is that at some point I expect users to be able to enter this strings themselves
So, Do we have a form input for the users to enter the string which you mentioned in the post ? If Yes, My suggestion is that you can sanitize the user input at first place before passing to the backend. So that in backend itself no malicious code should be stored.
Hence, By using string.replace() method. You can first replace the malicious tags for ex. <script>, <a, etc. from the input string and then store that in a database.
Steps you can follow :
Create a blacklist variable which will contain the regex of non-allowed characters/strings.
By using string.replace(), replace all the occurrence of the characters available in the string as per the blacklist regex with the empty string.
Store the sanitized string in database.
So that, You will not get worried about the string coming from backend and you can bind that via v-html without any harm.
Related
I want to use the value of my variable in Go template as-is but Go is adding extra quotes around it. E.g., for a Go template like
{{.Site}}:{{.Port}}/{{.Path}}
I want to get the output as
Mysite:3000/from/here
but the template is giving me the following instead:
"Mysite":"3000"/"from/here"
So,
How can I fix it (get rid of all the extra quotes or better suspend them all)? See https://play.golang.org/p/uKpgXdLv5gM
Go template also changed "orgId=1&refresh=30s" to orgId=1\u0026refresh=30s, how to avoid that?
Moreover, if I add https:// to the front of my url, the output is truncated. How to fix that as well?
Finally, is it possible to escape "`" within "`"?
As per Go HTML template doc:
HTML templates treat data values as plain text which should be encoded so they can be safely embedded in an HTML document. The escaping is contextual, so actions can appear within JavaScript, CSS, and URI contexts.
The security model used by this package assumes that template authors are trusted, while Execute's data parameter is not. More details are provided below.
It means JavaScript escaping is enabled whenever the go HTML template engine detects that it is within a <script> tag, (i.e., it has nothing to do with whether using regular " or not as the first commenter thinks). So
to get the output as
Mysite:3000/from/here
instead of:
"Mysite":"3000"/"from/here"
Do not wrap it with <script> & </script> tag.
Do the concatenation after template Execute().
Again, with <script> & </script> tag wrapped around, I'm getting:
var url = `"Mysite":"3000"/"from/here"/${othervars}?"orgId=1\u0026refresh=30s"`
vs. without <script> & </script> tag wrapped around it, I'm getting:
var url = `Mysite:3000/from/here/${othervars}?orgId=1&refresh=30s`
Just what I need.
However, my actual case is that I'm using go HTML template engine to process my .html template files, so I cannot really do the concatenation afterwards, as everything is defined in the .html template file. So, just as Martin Gallagher has shown in his code, for such case, using template function seems to be the only option.
But even that might not be a viable option, as this is what I'm getting out of Martin's code:
var url = "Mysite:3000\/from\/here?orgId=1\u0026refresh=30s"
It is still not exactly what I wanted:
var url = `Mysite:3000/from/here/${othervars}?orgId=1&refresh=30s`
So maybe with such case, it indeed has no ideal solution.
so basically I have a bunch of HTML strings in a MySQL table and I am trying to display then through EJS.
For instance, I have a string that looks like this is a link with some <code>code</code> next to it. In my code I try to display it in that way.
<%- listOfStrings["myString"] -%>
However, as you probably guessed when reading the title, the string seems to be escaped when displaying on the screen.
What's even weirder to me is that I have two tables with such strings, and it works for the first one, while it doesn't for the second one. One difference though, is that the first one is hardcoded, while the second one can be edited through some tool on my website. Encoding is utf32_unicode_ci for both tables, if that matters.
For debugging purposes I tried to store the aforementioned strings in a js variable and display them in the console: then it seems like <and > characters are all escaped for some reason. Is there an explanation to this behavior, and if so how to fix it so that HTML renders correctly?
Thanks for your help!
You can try it :
<%=listOfStrings["myString"]%>
I want to generate a usernames st + first two initials of their first name + their last name.
There are few modules to create username of specific pattern but none of them can accomplish my requirement. I am not Drupal module expert.
What you can do is to install the automatic username module:
Navigate to the configuration page of this module: admin/config/people/accounts/patterns
Then, in the "Other settings" section you can check the option "Evaluate PHP in pattern."
This allows you to execute PHP in the "Pattern for username" field. Two things to consider:
PHP is executed after the token replacement, this allows you to actually manipulate the strings.
You need to echo the final result.
Make sure that the php is wrapped with <?php ?> tags. Also, if you make a syntax error, it will only be seen upon registration (Or whenever the script is executed.)
Now let's say you configured your users to have a first_name field and a last_name field (with those specific field names)
Your PHP could look something like this:
<?php
$initials = substr("[user:field-first-name]", 0, 2);
echo 'str' . $initials . "[user:field-last-name]";
?>
First, Note that the token are between double quotes to make sure that what is outputted by the token is considered a string by PHP
Second, the php function substr is used to get the 2 first letters of the first name.
Now, things I don't know
I have no idea what happens if two users happen to have the same resulting username
I don't know what happen if a user enters a double quote in his name, might be dangerous, you might want to escape it with a str_replace or something like that
I have a user that is storing a 'registered trademark' symbol in her name in our database and when we retrieve it when the database it renders correctly, but when we actually place it onto the website itself in HTML it renders with an extra 'A' symbol in front of it:
You can see above the database value compared to what is rendered in the PDF file. I can access the database value in the backend and edit it through vb code but I am really not sure how or what the code would be to do that as I don't want to remove all ASCII characters just the extra symbol being generated and rendered in the PDF.
Any idea how to do this would be great.
I think the Main-Problem is that you generate wrong HTML-Code by just inserting your Database-Result-Strings into your Website
You can encode your Database String to HTML by using the HtmlEncode-Function from HttpUtility in .NET
Here is an Example from vb.net
myEncodedString = HttpUtility.HtmlEncode(myString)
If you use "myEncodedString" inside your WebPage you'll get no additional Characters and a valid HTML-Code.
I need to search with FTSearch something like this - MS004790(419411/10). But it thorws NotesException: Notes error: Query is not understandable (MS004790(419411/10))
So maybe there is some trick to search strings like that or maybe I need to parse it somehow?
Tnx for help!
TL;DR: Wrap your search in quotes.
Full Text search has two modes. Web Search and Notes Search. In your notes preferences you can set this.
Web search is just like a text search. Notes search attempts to parse the search term.
However the client can fall back to Notes search terms if it sees the first characters are capitals (or capital reserved keywords like "FIELD"). So to prevent it from parsing you need to wrap it in quotes.
For example
(LotusScript)
searchString = |"MS004790(419411/10)"|
(Java)
searchString = "\"MS004790(419411/10)\""
If it is still failing after that, manually try the search in the FT search bar. Once you have that working the code should work the same way.
If it is still failing at that point it may be related to the UNK table. If so see the following:
Lotus Domino: After changing TYPE of a field, Full Text Search won't work for this field