i have this url, http://www.poer.com/oneup.htm?zip={zip}.
I need the {zip}, because in my code, when this page opens, I replace the {zip} with a zipcode say 10001.
But in aspx, when i put validation for that txtbox, it wont let the {} pass through.
This is the validation - ValidationExpression="http://([\w-]+.)+[\w-]+(/[\w- ./?%&=]*)?"
regularexpressionvalidator.
How can i get the curly brackets in sql server? which is my db in backend
I don't know ValidationExpression but it looks like just a regex so can't you just add the ={zip} to the end of it?
ValidationExpression="http://([\w-]+.)+[\w-]+(/[\w- ./?%&=]*)?={zip}"
Related
So I have a set of strings, with some "custom markdown" that I have created. My intention is to render these strings as HTML in the frontend. Let's say, I have this string:
This is a string <color>that I need</color> to\nrender <caution>safely in the browser</caution>. This is some trailing text
I would be expecting to get something like:
This is a string <span class="primaryColor">that I need</span> to<br>render <div class="caution">safely in the browser</div>. This is some trailing text
And the way I do it right now is with some basic Regex:
toHtml = text
.replace(/<color>(.*)<\/color>/gim, "<span class='primaryColor'>$1</span>")
.replace(/\\n/g, "<br>")
.replace(/<caution>(.*)<\/caution>/gims, "<div class='caution'>$1</div>")
This works fine and returns the correct string. And then for printing, in the template I just:
<div id="container" v-html="result"></div>
My problem is that at some point I expect users to be able to enter this strings themselves, and that would be displayed to other users too. So for sure, I am gonna be vulnerable to XSS attacks.
Is there any alternative I can use to avoid this? I have been looking at https://github.com/Vannsl/vue-3-sanitize which looks like a good way of just allowing the div, span and br tags that I am using, and set the allowed attributes to be only class for all the tags. Would this be safe enough? Is there something else I should do?
In that case, I believe it will not be necessary to sanitize it in the backend too, right? Meaning, there will be no way for the web browser to execut malicious code, even if the string in the server contains <script>malicious code</script>, right?
My problem is that at some point I expect users to be able to enter this strings themselves
So, Do we have a form input for the users to enter the string which you mentioned in the post ? If Yes, My suggestion is that you can sanitize the user input at first place before passing to the backend. So that in backend itself no malicious code should be stored.
Hence, By using string.replace() method. You can first replace the malicious tags for ex. <script>, <a, etc. from the input string and then store that in a database.
Steps you can follow :
Create a blacklist variable which will contain the regex of non-allowed characters/strings.
By using string.replace(), replace all the occurrence of the characters available in the string as per the blacklist regex with the empty string.
Store the sanitized string in database.
So that, You will not get worried about the string coming from backend and you can bind that via v-html without any harm.
I want to use the value of my variable in Go template as-is but Go is adding extra quotes around it. E.g., for a Go template like
{{.Site}}:{{.Port}}/{{.Path}}
I want to get the output as
Mysite:3000/from/here
but the template is giving me the following instead:
"Mysite":"3000"/"from/here"
So,
How can I fix it (get rid of all the extra quotes or better suspend them all)? See https://play.golang.org/p/uKpgXdLv5gM
Go template also changed "orgId=1&refresh=30s" to orgId=1\u0026refresh=30s, how to avoid that?
Moreover, if I add https:// to the front of my url, the output is truncated. How to fix that as well?
Finally, is it possible to escape "`" within "`"?
As per Go HTML template doc:
HTML templates treat data values as plain text which should be encoded so they can be safely embedded in an HTML document. The escaping is contextual, so actions can appear within JavaScript, CSS, and URI contexts.
The security model used by this package assumes that template authors are trusted, while Execute's data parameter is not. More details are provided below.
It means JavaScript escaping is enabled whenever the go HTML template engine detects that it is within a <script> tag, (i.e., it has nothing to do with whether using regular " or not as the first commenter thinks). So
to get the output as
Mysite:3000/from/here
instead of:
"Mysite":"3000"/"from/here"
Do not wrap it with <script> & </script> tag.
Do the concatenation after template Execute().
Again, with <script> & </script> tag wrapped around, I'm getting:
var url = `"Mysite":"3000"/"from/here"/${othervars}?"orgId=1\u0026refresh=30s"`
vs. without <script> & </script> tag wrapped around it, I'm getting:
var url = `Mysite:3000/from/here/${othervars}?orgId=1&refresh=30s`
Just what I need.
However, my actual case is that I'm using go HTML template engine to process my .html template files, so I cannot really do the concatenation afterwards, as everything is defined in the .html template file. So, just as Martin Gallagher has shown in his code, for such case, using template function seems to be the only option.
But even that might not be a viable option, as this is what I'm getting out of Martin's code:
var url = "Mysite:3000\/from\/here?orgId=1\u0026refresh=30s"
It is still not exactly what I wanted:
var url = `Mysite:3000/from/here/${othervars}?orgId=1&refresh=30s`
So maybe with such case, it indeed has no ideal solution.
I've got this string that I want to send to a backend. In this string, there are several forward slashes, that is basically code that is commented out. It could look like:
val string = "// SOME STUFF
// OTHER TEXT ***************************************************
// THIS WOULD CONTINUE FORWARD"
So to escape this entire String, I'm using Gson().toJson(string). This would give a result like
"// SOME STUFF\r\n\r\n// OTHER TEXT ***************************************************\r\n// THIS WOULD CONTINUE FORWARD"
But if I put this into a website that can escape strings for me, I would get
"\/\/ SOME STUFF\r\n\r\n\/\/ OTHER TEXT ***************************************************\r\n\/\/ THIS WOULD CONTINUE FORWARD"
This bottom part, is what the backend would accept, and the top part it rejects. Is there any way I can do this in a different way, to make Gson look like the bottom part? This is sent as JSON btw, so as
{
"stuff": "THE ESCAPED STRING"
}
I kind of failed, and the Gson library didn't help at all. Ended up using Apache's StringEscapeUtils to fix the issue for me, with the StringEscapeUtils.escapeJson method.
I've been trying to pull the parameters passed into a page so I can post it back in Context.
So far,
ViewBag.Message = string.Format("{0}::{1}::{2}",
RouteData.Values["controller"],
RouteData.Values["actions"],
RouteData.Values["id"]);
works with anything simple like "66" or "tt" but anything more complex like "?name=blargh?viewId=66" and it fails.
I've tried a bunch of different ways to see if I could strike gold but nothing seems to work so does anybody have any idea what I'm missing/doing wrong/should be doing instead?
" but anything more complex like "?name=blargh?viewId=66" and it fails.
This doesn't seem to be routing information but query string which you should retrieve from the Request.QueryString bag.
If the {id} parameter is part of your route (as the default routes {controller}/{action}/{id}) I hope you realize that this id cannot be anything you like just because there are rules for an url. For example it cannot contain ? because this symbol has an entirely different meaning in an url - it represents the query string separator.
Currently (in Yii 1.1.13) all createUrl methods put extra params in the 'path style', which means I cannot then override them by submitting a form, because they take precedence over those that come in a query string. Is there a way to always pass extra parameters in query string but still have the url look normal and not butt-ugly like with the get urlFormat?
You can set appendParams to false in your urlManager component configuration.