I am using the kendo editor. If I write any html data like : <img src=x onerror=alert(0) > as an input. The script is getting executed. Means the kendo editor is not secure. How I can encode the value on client side ?
Thanks in advance.
I don't think the problem here is so much that the Kendo editor is insecure, more that the javascript fragment has made it onto the page in the first place.
On initialization the Kendo editor merely copies the input value verbatim and uses it within the iFrame that is contained within the editor, hence the script executes.
Typically you would encode/sanitize user content server-side before it's displayed. It's your website that generates the HTML page so you have full control over the output and need to ensure that a potentially dangerous value doesn't get added to the input's value in the first place.
It might be worth looking into Microsoft's AntiXSS offering.
Related
I am reluctant to post this, but I am having trouble understanding how markdown actually "saves" to a database.
When I'm creating a migration, I will add columns and specify the type of value (i.e. integer, text, string, etc.) and in the course of operation on the website, users will input different information that is then saved in the DB. No problem there.
I just can't seem to wrap my head around the process for markdown. I've read about saving the HTML or saving the markdown file, rendering at runtime, pros and cons all that.
So, say I use an editor like Tiny MCE which attaches itself to a textarea. When I click "Submit" on the form, how does that operate? How does validation work? Feel free to answer my question directly or offer some resource to help further my understanding. I have an app built on Laravel so I'm guessing I'll need to use a package like https://github.com/GrahamCampbell/Laravel-Markdown along with an editor (i.e. Tiny MCE).
Thanks!
Let's start with a more basic example: StackOverflow. When you are writing/editing a question or answer, you are typing Markdown text into a textarea field. And below that textarea is a preview, which displays the Markdown text converted to HTML.
The way this works (simplified a little) is that StackOverflow uses a JavaScript library to parse the Markdown into HTML. This parsing happens entirely client side (in the browser) and nothing is sent to the server. With each key press in the textarea the preview is updated quickly because there is no back-and-forth with the server.
However, when you submit your question/answer, the HTML in the preview is discarded and the Markdown text from the textarea is forwarded to the StackOverflow server where is is saved to the database. At some point the server also converts the Markdown to HTML so that when another user comes alone and requests to view that question/answer, the document is sent to the user as HTML by the server. I say "at some point" because this is where you have to decide when the conversion happens. You have two options:
If the server converts the HTML when is saves it to the Database, then it will save to two columns, one for the Markdown and one of for the HTML. Later, when a user requests to view the document, the HTML document will be retrieved from the database and returned to the user. However, if a user requests to edit the document, then the Markdown document will be retrieved from the database and returned to the user so that she can edit it.
If the server only stores the Markdown text to the database, then when a user requests to view the document, the Markdown document will be retrieved from the database, converted to HTML and then returned to the user. However, if a user requests to edit the document, then the Markdown document will be retrieved from the database and returned to the user (skipping the conversion step) so that she can edit it.
Note that in either option, the server is doing the conversion to HTML. The only time the conversion happens client-side (in the browser) is for preview. But the "preview" conversion is not used to display the document outside of edit mode or to store the document in the database.
The only difference between something like StackOverflow and TinyMCE is that in TinyMCE the preview is also the editor. Behind the scenes the same process is still happening and when you submit, it is the Markdown which is sent to the server. The HTML used for preview is still discarded.
The primary concern when implementing such a system is that if the Markdown implementation used for preview is dissimilar from the implementation used by the server, the preview may not be very accurate. Therefore, it is generally best to choose two implementations that are very similar or, if available, use the same implementations for both.
It is actually very simple.
Historally, in forums, there used be BBCodes, which are basically pseudo-tags that allow you to format your text in some say. For example [b][/b] used to mean "make this text bold". In Markdown, it happens the exact same thing, but with other characters like *text* or **text**.
This happens so that you only allow your users to use a specific formatting, otherwise if you'd allow to write pure HTML, XSS (cross-site scripting) issues would arise and it's not really a good idea.
You should then save the HTML on the database. You can use, for example, markdown-js which is a Markdown parser that parses Markdown to HTML.
I have seen TinyMCE does not make use of Markdown by default, since it's simple a WYSIWYG editor, however it seems like it also supports a markdown-like formatting.
Laravel-Markdown is a server-side markdown render helper, you can use this on Laravel Blade views. markdown-js is instead client-side, it can be used, for example, to show a preview of what you're writing in real-time.
I am understanding this better but still not there yet.
I have a notes document with a rich text field. I want to edit it in Xpages, so that the user can enter text for an email that an agent will generate. The idea is that the user should be able to enter styled text, hopefully including pasted graphics, and this is saved to the rich text field in such a way that a later agent can copy that field to the body of an email.
On the form I have checked the field "Store contents as HTML and MIME.
In the Xpage I have bound the CKEditor directly to the field (can bind it to a scope variable if necessary).
The code in my agent is as follows:
Set rtItmFrm = emlDoc.getFirstItem("Body")
Set rtItmTo = New NotesRichTextItem(mail,"Body")
Set rtItmTo = rtItmFrm.Copyitemtodocument(mail,"Body")
Any further suggestions on reading up on MIME/CKEditor etc would also be much appreciated.
Bryan
=========================================================================
I just discovered how to modify the CKEditor in Xpages (the Rich Text Control). I have the full menu and one or two more things turned out. However, I am really puzzled by how it treats HTML. I would like to put a template for a nice HTML email (like a newsletter). Anything even a little complicated it munges and the output is messed up.
I read enough online to understand that it is not supposed to be a HTML editor, but I am really having trouble getting the results I want. I would love to put some basic skeleton HTML in there, but everything but the simplest code doesn't work.
Is there anyway to import HTML and it not get messed up using this editor?
as Per and Stephan said, Have a look at ACF filtering that is 'server side' (This is not related to CKEditor itself, but it is related to XPages).
If you have a look at the inputRichText control you will see 2 properties.
htmlFilter
htmlFilterIn
These properties determine how to filter Html on the way in to your data, and also on the way out.
This can be used to strip styling out, and also to prevent dangerous tags like some bad code here etc.
By Default the htmlFilter is set ACF (Active Content Filtering) if you look at the default rules, you will see it strips things like 'margin' out.
see /properties/acf-config.xml-sample
There is a filter called 'identity' which means don't filter anything, however beware if you use this you are not protected from and maliciously entered html.
You should look into defining your own set of rules for your ACF filter, this way you can choose which elements to remove. There is a section in Mastering XPages book about this.
If you still have any trouble, then there are some settings in CKEditor config which also control ACF (totally separate to XPages server side)
I don't think CKE changes the HTML, it is the writing back to a RT field.
Try and bind your RichText Editor to a scoped variable instead of a RichText field. This way you have access to the raw HTML and can use that to generate a MIME email. You might want to have a look at Mustache for mail merge.
Use this article series as starter how to prepare CK editor to make this possible.
And as Per mentioned: check the filtering.
I have two input fields first name and last name.
Application was running really well.
Suddenly someone came in from Mars and input something like this in those input fields
*(~'##~>?<+!""*%$)!
for both first name and last name. Now don't ask me why he did this cause in Mars this is very common. You can try it on this fiddle
http://jsfiddle.net/farrukhsubhani/3RjRF/
This text then went into my database and now when i retrieve it it came back like this
*(~'##~>?<+!""*%$)
which is ok for me as its html and I can place it back into knockout and it gets populated as html as you can see in fiddle above. However this Mars guy then thought that on Earth this is not a nice name to be with so he tried to edit field.
The above fiddle is kind of that edit page which shows him old value at bottom and two fields at top. He does not know html so he thought we have changed his name in input fields however I need to know
When passing text to knockout to give initial value to an input field is it possible to tell it that consider this text as html so it renders properly in input field
The other way around is to send him to http://www.w3schools.com/tags/ref_entities.asp and tell him about reserved HTML characters. This info has been stored in database (using Entity Framework simple person.fname and person.lname both with attribute AllowHTML) so on my fiddle i have just placed it in two variables and you can see how actual text boxes are different than html below. If i dont bind using Knockout then actual text is shown in these boxes and user can edit <>' signs without any problem.
Anyone with a solution before he leaves our planet. This can change alien life on our planet.
Update
If i go into this field and paste (~'##~>?<+!""*%$)" binding works fine and you can copy this and paste it into fiddle to see that. However its not taking that value from Javascript variable to knockout expects it to be a string and html special characters are not shown properly in input field.
We have done another test without Knockout and this text does get rendered within the field when you try to edit it its fine.
We have updated JSfiddle to work without JQuery and its the same result if you store it in a js variable and give not value to input field
http://jsfiddle.net/farrukhsubhani/3RjRF/3/
If we assign value to input field and just use jQuery to populate fullname then it works
http://jsfiddle.net/farrukhsubhani/3RjRF/4/
This last fiddle is a working example and we want Knockout to do what JQuery is doing.
I think the question then comes to how can this text be stored in javascript variable and placed into input field as html text so special characters appear unescaped. You can try unescape on jsfiddle that did not work for us.
Somewhere along the trip into (or maybe out of) your database, the value is being HTML-escaped. It's not Knockout itself that's doing it. You're going to need to track that location down, but you can't just disable it; you're going to have to replace it with something that sanitizes the result or otherwise you're opening yourself up to cross-site scripting attacks (any <script>s from external sources inserted into the input would have complete access to your data).
Any time you see the html: binding used, warning bells should go off in your head and you should VERY carefully to check to ensure that there's NO possibility of raw, unexamined user input making it into the string that gets displayed.
Ok here is what i did at the end
http://jsfiddle.net/farrukhsubhani/3RjRF/7/
I have done following:
I have added value attribute to input field and placed the input text as it came from server into it. Because I am using TextBoxFor in MVC it did that for me.
Before I apply knockout binding I have picked this value up using $('#kfname') and passed it to the actual binding so it used the value that came from server. Previously it was passed like (#Model.fname,#Model.lname)
I think what this did was allowed jQuery to pick up the value and assign it to binding instead of variable
ko.applyBindings(new ViewModel($("#kfname").val(), $("#klname").val()));
Hopefully this would help someone using knockout.
Sorry if this question was mentioned. I have web page with bunch of javascript files. One of it has function that sets value to some input on HTML file. Is it possible to see via debugger which javascript function invokes changing of value of the input HTML element?
Right click on the input tag that you are willing to observe and select Break On and then Attribute Modifications. Your scripts will stop if they try to modify the input value.
I have something like the StackOverflow's "Ask Question" page, where a text-box is used to put source markup code and, below, another text-box (non-editable) is used to render a preview of the post/question being typed.
Consider that my application not only lets me use a simple tiny markup language for my posts' content; it also provides me with the possibility to type math in it using MathJax. But the syntax is simple Latex syntax (however this is not the problem, so do not let this thing bother you too much).
The problem
The problem is the following. The page is a little different from the StackOverflow's one because it uses ASP.NET with AJAX in order to call a server-side procedure that performs the markup language translation in HTML (this is my choice, I have the code server-side, there is no implementation in javascript of the markup translation code).
When the asynchronous script runs (every 10 secs), the non-editable text-box is re-filled with the translated markup. The Latex code as well is put there (no translation performed on it) and MathJax script is called everytime the AJAX procedure returns (so the latex code will be rendered after the markup language, this latex rendering happens client-side).
The problem is that, sometimes, rendered math is strange especially considering equation numberings. Numbers do increase every new AJAX call. I guess there must be a way to reset, completely, the status of the MathJax object instantiated in the page or whatever... Is there a way to reset MathJax?
I assume that AJAX here is the problem... Thankyou for your help, hope I was clear.
If you have loaded a configuration file that includes the AMSmath extension, you can use
MathJax.InputJax.TeX.resetEquationNumbers()
to reset the equation numbering and the labels used for \ref and \eqref. If you want to start the numbering at a particular equation number, use
MathJax.InputJax.TeX.resetEquationNumbers(n)
where n is the starting number minus 1 (the default is 0).