I am using asp.net mvc 3 with razor for a project.
At some I need to serialize an array from the controller, put it in the viewdata and assign it to a js object. However when I output it using
#ViewData["some array"]
The result is html escaped so i get something like :
[{"title":"Something","id":"Something-1" etc'
With the <%= %> this was not escaped so it was behaving as expected.
Is it possible to tell razor not to escape this string. Perhaps, someone might suggest another approach all together.
Thanks in advance for any ideas
You need to output an instance of the new IHtmlString interface, which contains pre-escaped HTML.
To do that write #Html.Raw(...).
If you have done everything and still issue persist while it was working earlier.. Better check Certificate Expiration Date.
Related
I'm using Apache Freemarker as one of the code languages in a HTML editor where users can code a template. Let's say, a user writes this code for a list:
<#list items as item>...</#list>
This is the correct way to create a list in Freemarker. But, when I load the template at a later moment with functions such as $("div").html(TEMPLATECODE), it will be rendered as:
<#list items as item>...<!--#list-->
How's this possible and how can I prevent html from transforming it to comments?
Thanks!
A FreeMarker template is not HTML, but jQuery's .html(string) expects a string that's valid HTML. So if you pass a template to it, such weird things are bound to happen. Only passing in the output of the template makes sense. If you want to show the markup to the user instead, you should use .text(string).
In a Freemarker template on a page with Angular, I have the following:
...
ng-init="somevariable = ${(model.usercontrolledstring)}"
...
I want to make sure this is hardened against XSS, so I've set up some escaping rules. However, the following value for model.usercontrolledstring causes JavaScript to execute:
abc'+constructor.constructor('alert(1)')()+'abc
The surprising thing is that when the client receives it, it arrives thusly:
ng-init="somevariable = 'abc'+constructor.constructor('alert(1)')()+'abc'"
So it looks like it's being escaped correctly, but Angular is still deciding to run it!
So I guess my questions would be:
What am I not understanding about Angular? (In particular, its decision to run after decoding html entities)
Is there a proper way of configuring a Freemarker Template to prevent this sort of XSS?
I believe you should use somevariable = '${model.usercontrolledstring?jsString}' there.
Also, if that thing goes into a <script> block, certainly you shouldn't apply HTML escaping there. It's not decoded by the browser inside <script>, so you end up with string values that literally contain '. Unless the string meant to contain HTML as opposed to plain text, that's wrong.
I'm working on an FAQ type project using AngularJS. I have a number of questions and answers I need to import into the page and thought it would be a good idea to use a service/directive to load the content in dynamically from JSON.
The text strings are quite unwieldily (639+ characters) and the overall hesitation I have is adding HTML into the JSON object to format the text (Line breaks etc).
Is pulling HTML from JSON considered bad practice practice, and is there a better way to solve this? I'd prefer to avoid using multiple templates but it's starting to seem like a better approach.
Thanks
If you're using AngularJS and already have a build step, html2js could help you with turning HTML templates into JS, which can then be concat'd and minified.
You could try parsing the incoming JSON before sending it to the page and just adding in a <br /> everywhere you run into a \n. That way the JSON is more universally usable if you ever decide you want to port the data to another medium.
Is there a way to implement if statements inside :javascript filter with HAML in Rails?
I've tried various ways such as
:javascript
$(function(){
- if #booth.greeting_video?
= $('#greeting_video').modal();
But they do not seem to be working at all.
Is there a clean way of implementing this?
The filters in HAML are processed separately from the other code, and the only thing allowed here is the #{} method, which just inserts a Ruby value.
Theoretically you can insert your condition there, and return different values depending on it. And I can't guess what you're trying to do with = $('#greeting_video').modal(); - it looks like javascript, but why is there = sign before, making it look like ruby insertion?
And, it also needs to be said, it's not really a good idea to mix up back-end and fron-end so much. The js variable can be set here, and somewhere in another file the modal would be rendered or not, depending on that variable (just another way suggestion)
using C# I am saving formated HTML data in MSSQL such as:
<div>\n\t<p>x</p>\n</div>
I am than populating it into a textarea to display. I understand that I can use the .value property of the element to pull all of the ASCII characters out of the textarea, however, I can't seem to figure out how to get the "\n" and "\t" characters to show up as new lines and tabs.
When I use FireBug to check the html contents of the textarea in question, this is what is displayed:
<div>/\n/\t<p>This is a test Div</p>/\n</div>
I don't really care about using JavaScript to display the new lines and tabs, I can also use .NET to change the characters, I would just like to know either or both options.
Thanks much!
You should be saving your data better than that... but for now, you can use a simple regex trick:
yourString.replace(/\\n/g, "\n").replace(/\\t/g, "\t");
In .NET you can use String.Replace:
s = s.Replace(#"\n", "\n");
s = s.Replace(#"\t", "\t");
You might want to consider whether you should make this replacement before you insert the data into the database rather than as you fetch it, because you'll probably only be inserting it once but fetching it a lot of times.
On the other hand, if you do it on the client then the work is offloaded from the server. But if they don't have Javascript enabled, it will look wrong.