I generate some HTML dynamically and I need to make sure that any type of malicious javascript doesn't make it into the HTML. So I have this code to "clean" the input before I save it to the database:
Input = Input.Replace("'", "\'")
Input = Input.Replace(Chr(34), "\" & Chr(34))
Input = Input.Replace(vbCrLf, "")
Return System.Web.HttpUtility.HtmlEncode(Input)
This does clean the input, but it is also stripping any inline CSS that I have inside the input. Is there a way to strip out potentially malicious code yet keep the CSS tags?
Thanks!
you can use this line
Private input = Regex.Replace(input, "<script.*?<\/script>|<script.*?\/>", "")
Related
Here is my code:
Dim input = "<div><textarea>something</div></textarea>"
Dim doc As New HtmlAgilityPack.HtmlDocument
doc.OptionOutputAsXml = True
doc.LoadHtml(Input)
Using writer As New StringWriter
doc.Save(writer)
Dim res = writer.ToString
End Using
and the value of 'res' is:
"<?xml version="1.0" encoding="windows-1255"?>
<div>
<textarea>
//<![CDATA[
something
//]]>//
</textarea>
</div>"
the result as html is: My textarea
How can I prevent it ?
From my understanding of it, the reason is implied by this answer to Set textarea value with HtmlAgilityPack:
A <textarea> element doesn't have a value attribute. It's content is it's own text node:
<textarea>
Some content
</textarea>
To simulate the same thing safely, HAP has to enclose the content in a //<![CDATA[ section.
The source code for HAP has this comment for the relevant line(s):
// tags whose content may be anything
ElementsFlags.Add("textarea", HtmlElementFlag.CData);
So, you can't prevent it.
Need to write in element .
This is the HTML code
< div id="t" class="message-tools__textarea js-scroller" contenteditable="true" data-placeholder="Write a message (Enter to send)">XXXXXX< /div>
My question is how to write text like XXXXXX ?????
Add this:
<div id="t" runat="server" ...
And then in your codebehind:
t.InnerText = "XXXXXXX" ' or t.InnerHTML if you're adding HTML code).
So, if the text to be replaced is fixed and has only 1 instance within the HTML code, it should be rather simple:
Dim OrigCode, ModifiedCode as string
OrigCode = GetGoogleCodeFromURL ' get the code
ModifiedCode = OrigCode.Replace("XXXXXXX","ZZZZZZ")
Dim MyHTML as string = "<head>...</head><body><h1>Hello World!</h1><p> </p>" & _
ModifiedCode & "<p> </p><p>That's it.</p>"
But usually, things are a bit more complicated, so I'm not sure, if you expressed your wish precisely. Also, if the code is big and action is recursive, it might be better to break it into parts and handle only relevant part of it, due to performance issues.
So I have a program that takes a few inputs from textboxes and then adds them all up into two strings. Basically here is the problem, I am trying to get one of the strings to go into the forum post "title" and one into the forum "body". (This is not a spam program, it makes it easier for people to post ban reports for players on our server.) Here is the HTML codes for the website I am trying to type into;
<p class="ipsField_content">
<input id="topic_title" class="input_text" type="text" size="60" maxlength="150" name="TopicTitle" value="" tabindex="2">
</p>
The HTML code above is for the topic title area I want to type into. The problem with this is that it always says how it can not find this area.
'This is the HTML code for the forum body:
<body spellcheck="true" class="cke_show_borders">
<p>This is where I want to be able to type</p>
</body>`
With the HTML code above, I can't seem to get this VB code below to select that text area and enter in my string.
WebBrowser1.Document.GetElementsByTagName("p").InnerText = post
One reason is because VB doesn't allow me to use .innertext on a tag, and the other is that I do not know how to really specify which "p" tag. Like there is multiple "p" tags on this webpage, but it is the only "p" inside the "body" tag, if I could specify that somehow.
Here is the VB code I am using currently for the program.
Dim Report As String
Report = YourName & Suspect2 & Server & Time2 & Reason & RulesBroken & Proof
Dim topictitle As String
topictitle = ("" & Suspect & " - " & txtReason.Text & txtReasonCustom.Text & "")
txtTitle.Text = topictitle
txtPost.Text = Report`
making sure that the words "sign out" is on the page to insure the webbrowser is signed in.
`Dim theElementCollection As HtmlElementCollection
theElementCollection = WebBrowser1.Document.GetElementsByTagName("input")
For Each curElement As HtmlElement In theElementCollection
Dim controlName As String = curElement.GetAttribute("name").ToString
If WebBrowser1.DocumentText.Contains("Sign Out") Then
WebBrowser1.Navigate("www.ThisLinksToMakeNewPostOnTheWebsite.com")
WebBrowser1.Document.GetElementById("topic_title").InnerText = txtTitle.Text
WebBrowser1.Document.GetElementByTagName("body").firstchild.InnerText = txtPost.Text
End If`
this code below is used to click the submit button
`WebBrowser1.Document.Forms(0).InvokeMember("submit")`
also this is the html code for the "Post New Topic" button
<input type="submit" name="dosubmit" value="Post New Topic" tabindex="50" class="input_submit" accesskey="s">
Anyways that is it. I tried to include as much information and as much lines of code as I could to show that I really am trying.
Please help, I have tried the MSDN links, but I can't seem to apply it to this.
From your code I think you are using the WebBrowser control. There is a much less resource hogging alternative. Since you are really only interested in posting to a form, you don't need the overhead of a browser. You can use the HTTPWebRequest to POST the data/text from your textboxes directly to a URL. An example can be found here:
http://howtostartprogramming.com/vb-net/vb-net-tutorial-51-httpwebrequest-post-method/
It's not the best tutorial in the world but it will get you on your way. You would of course still need to know what data you need to send to the web site.
I have a form that needs to submit a .csv file to the server and then append the words in it to a textarea in my page. I am using Remotipart to upload the .csv using AJAX but I cannot get the javascript in the server response to execute. Here are the relevant parts of my code:
The Form:
=form_tag(upload_canvas_words_admin_page_widget_widget_instance_path(widget.page, widget),:method=>'post',:remote=>true,:multipart=>true,:class=>"upload_words_csv") do
= label_tag "Upload File"
= file_field_tag "file"
= submit_tag "Upload"
The Controller:
def upload_canvas_words
#csv_text = params[:file].read
end
The .js.haml file:
= remotipart_response do
- if remotipart_submitted?
alert('#{#csv_text}');
alert('!');
- else
alert('WHYYYYY?');
When I look at the response I see the javascript being wrapped in a bunch of html, which I assume has something to do with the iFrame transport. But the javascript never actually executes.
Refer this issue. And try to follow the solution given here.
https://github.com/JangoSteve/remotipart/issues/89
So what happens is that reponse arrives to the browser with html entity (like ") inside the textarea. When the js code for evaluation is extracted the html entities are replaced by theirs respective characters (like " to ').
That's a characteristic of a textarea. So it doesn't get executed
Adding data: {type: :script} to the form should be the fix
This may be a sad implementation to start with but...
I have an XML string that I want to pass to a FusionChart but it fails (without errors...).
Controller code: trying to pull XML from a page
data_url = "[removed URL]/run/custom.xml?start=#{#start_week}&end=#{#end_week}&x=daychart=line&application=#{#application}".html_safe
data_uri = URI::escape(data_url)
#response = RestClient.get(data_uri)
Rails.logger.debug("Data: " + #response.inspect)
View Code: instantiating the Chart and passing the XML
<script>
var chart = new FusionCharts("/charts/MSLine.swf", "quality_center_stats", "700", "400", "1", "0");
chart.setDataXML("<%= #response %>");
chart.render("quality_center_stats");
</script>
Let me know if there is more I can add
Can be any of the following:
The XML contains special characters which needs to be encoded in the DataXML method. e.g., % should be passed as %25, & as %26, " as %26quot; or "
Make sure you do not have any newline character in that XML string. That would break the string in JavaScript (and you will get "unterminated string" error in JavaScript console)
Make sure the XML data which is passed conforms to FusionCharts Mulit-series data format
Make sure you have placed the SWF and JS files in proper paths and are accessed correctly. (can check through network tab of Firebug or Developer Console of Chrome)