Am I using Html.Raw() safely? - asp.net-mvc-3

I have an ecommerce gift store where users can fill out a gift-card for their recipient.
In order to fill out the card, I have the users enter text into a multiline textbox.
When I display the gift-card on the final review page, I have to spit out the information with Html.Raw so that Newlines are being displayed properly. I'm doing this:
#(Model.GiftCard.Text != null ? Html.Raw(Model.GiftCard.Text.Replace(char.ConvertFromUtf32(13),"<br />")) : Html.Raw(""))
I'm frightened that i'm entering dangerous territory using Html.Raw on values that were user-entered. However, when I go back to the gift-card entry page, the page breaks when I try to do something like "This is my gift card! (scripttag)alert('test');(/scripttag)"... so I feel like .net will catch any malicious entries during that point.
Am I safe to proceed like this? It seems that since the gift-card entry page is running validations against malicious code, I should be okay to use HtmlRaw later to display newline html that I'm putting in myself...
(I replaced the actual script tag with this (scripttag) thing above so it will show in stackoverflow)

Use a regular expression in your view model to make sure people only enter A-Za-z0-9 and whatever else you think should use such as :) =] type of stuff. Screening this stuff front end is better than second guessing it on the way out.

How about using a
<pre></pre>
tag instead? This would allow returns to display in HTML without the need for Html.Raw?

Related

How can I stop Joomla from stripping HTML code from the Contact info?

I've only spent maybe 30 mins searching online for this, and couldn't come up with a decent answer.
But anyway, in Joomla there are normal input fields for the Contacts component, but there's a textarea for the Address.
This would make me assume you can enter multiple lines of address in there, and it would be displayed as separate lines... but it doesn't. Even if I enter line breaks, the output is rendered on one line.
So I try to enter <br> to separate, and upon saving, Joomla strips these tags out.
In the template, the output is being written simply by echoing $this->contact->address
Is there anyway, to explode this input and replace linebreaks with <br> marks?
UPDATE:
For now as a temporary measure I'm able to add HTML code into the database values, which saves and outputs on the front end.
On a separate note, I'm now looking to remove the Subject line from the contact form, without hacking the code. and by using overrides as much as possible. Can anyone help?
Have you tried the Sourcerer extension?
Your question is pretty old, but did you get a solution to this Lee?
To create line-breaks in Joomla, titles, text areas etc. Easiest way to do this is to use the ReReplace extension from NoNumber: http://extensions.joomla.org/extensions/edition/replace/4336
I personally use this to add line break in e.x. menu-item titles, where < br / > aren't allowed and get stripped.
With ReReplacer, you can create a custom tag e.x. {br} and then have ReReplacer replace {br} with < br / >.
So everytime you need to add a line break anywhere in Joomla, where html codes usually get stripped, you can just add {br} to have it add a new line.
Very old question but I've fallen into the same issue and tried to find a more user friendly solution.
You can enter multiple lines in the address textarea, and they are correctly outputted to the HTML page source. But as you know, newlines in HTML are not rendered, they have to be transformed to <br>.
For this PHP has a nice function, nl2br, that inserts a <br> each time it encounters a newline in a string.
So in html\com_contact\contact\default_address.php of your template, replace:
echo $this->contact->address;
with
echo nl2br($this->contact->address);
This would nicely do the job, and allow the user to naturally insert any newline in the contact address textarea that will be correctly rendered with the appropriate <br>; I believe this is quite more user friendly solution than your previous one of the user having to insert -br- tags in the address field.

Is it possible to change text directly in the code

I would like to know if there is a way to change text in the code instead of using the admin panel? I have Filezilla installed and can access my site/files from there.
If I use the inspect element in any browser, I can see an HTML structure, but as I have understood there is no HTML document in Magento, right? So where do I go if I want to make a change to a text element on my site and I don't want to use the admin panel?
Most of the text elements are handled by Magento's language translation system.
Quite often, you don't have to mess around hacking templates, just simply add a line to the translation CSV with the text string exactly as it appears, add a comma and then the new text string you want Magento to display.
For example, if you're working with US English, you can use the following file in your own custom template package as follows:
app/design/frontend/default/your_package/locale/en_US/translate.csv
Let's for example, change one of the window shade bar titles in the One Page Shopping Cart. Add a line to translate.csv as follows:
"Billing Information","Billing Address Information"
How this works, in the template the following line normally displays the title:
<?php echo $this->__('Billing Address') ?>
This code snippet $this->__('Billing Address') is a call to Magento's language translation system. It reads the translate.csv file finds Billing Address and changes it to Billing Address Information when it assembles the page html.
Lotta people out there have made changing text like this far harder than it has to be.
Hunting down the proper template, changing the text, finding the template got messed up, or trying to remember after the fact what was changed.
VS.
Changing a simple central file that contains all the text string translations... Often only by adding a new line to the file
Magento actually makes this very simple.
Thank you! So magento stores all text in .csv? or just the stuff that needs to be translated? I'm making a search for .csv via Filezilla but I only get two languages (the site is translated to multiple languages). Should I be looking somewhere else?

CodeIgniter santizing POST values

I have a text area in which I am trying to add youtube embed code and other HTML tags. $this->input->post is converting the <iframe> tags to < and > respectively but not the <h1> and <h2> tags.
Any idea how I can store these values?
If you only have a small number of forms that you need to allow iframes in, I would just write a function to restore the iframe (while validating that it's a valid YouTube embed code).
You can also turn off global_xss_filtering in your config (or not implement it if you're using it), but that's not the ideal solution (turning off all of your security to get one thing to work is generally a horrible idea).
$config['global_xss_filtering'] = FALSE;
To see all of the tags that get filtered out, look in the CI_Input class and search for the '$naughty' variable. You'll see a pipe-delimited list (don't change anything in this class).
Why don't you avoid CIs auto sanitizing and use something like htmlspecialchars($_POST['var']); ? Or make a helper function for sanitizing youtube urls...
Or you could either just ask for the video ID code or parse the code from what you are getting.
This would let you use both the URL or the embed code.
Also storing just the ID takes less space in you database, and you could write a helper function to output the embed code/url.
In this case, use $_POST instead of $this->input->post to get the original text area value, and then use HTML Purifier to clean the contents without losing the <iframe> tag you want.
You will need to check HTML Purifier documentation for details. Please, check this specific documentation page about "Embedding YouTube Videos".

Looking for an anti-spam solution easier to implement than Captcha

I'm looking for a simple anti spam form submission solution, other than Captcha. I've tried implementing Captcha into my website for anti-spam purposes, but it's been too difficult to integrate into the site. I don't get many spam attacks but I'd like to have something in place for the random spam that I get. Does anyone know of something they think would work?
you can add an additional textfield to your form and hide it with css. human users don't see the field, so it should always be empty. spambots usually fill out all form fields and don't know that this one is hidden. if you receive any content in this field, reject the form submission.
Put up something like "What is 3 plus 6?" and give the user a form to type the answer. Any human will get that, including blind ones who can't see a captcha, but no bot will. You don't even need to vary the numbers, really.

UI - How I can make users effectively read what my program says?

I have a simple form that searches through the 2000+ issues of a 3rd party webcomic. (Easy, it's like xkcd: http://url/number
That form is as easy as possible, is like this:
What number do you want?
User writes a number, clicks ok, and goes on the 3rd party website on a new tab
Then, my form asks a question: "Did you find that issue memorable? Enter the name here, and we will add it to the "best issues" in home page"
When the user will write the name of the issue, it is added to the database (pending moderation by me)
So, I supposed this design is the easiest and convenient that users can find.
Unfortunately, NONE of the users (maybe a 2% behaved correctly) will actually read what I asked. Some of the issues are offline, and gives a 404. On that issues users will write in the textbox a completely wrong title, and correctly capitalized!
It's like if i would name http://xkcd.com/627/ as "The Great Adventures of Jack Smith"
Users are from around all over the country, with different browsers, and have a different cookie.
I cannot believe that my users will not read what I ask, it is a WHITE PAGE with a button that disappears when clicked and a textbox.... easier than that???
Maybe i should put a checkbox with "I acknowledge that this form is for submitting memorable issues, not for fun"? Oh, who will read that?
Or maybe i could enable the textbox only if the user has effectively clicked the link?
Do your users understand your site/service?
I, for one, don't remember (web-)comics by their issue number, but by their content. When asked what xkcd comic number I would like to see, I'd probably input random numbers like 42, 123 or 666 or something.
After you make me guess for a number you ask me if the associated comic is particularly epic, then you ask me to do some data entry for it to put it on some kind of hall of fame. Honestly I do not understand what the logic is behind inserting titles for non existing comics -- are you sure they don't actually land them on the comic page for "The Great Adventures of Jack Smith"? The 2% of your userbase probably noticed the issue in the URL you generated for them, addressed it and typed in the right title. Or, maybe, they are typing the name of the comic they actually wanted to see instead.
There's a simple way to know. Have your mom use it and do not correct her if she makes mistakes. All mistakes she makes are your fault, not hers.
Without having the text of the labels you have put it's harder for us to second guess what's going wrong than it is for you.
Try it!!
You could try parsing the title of the page and obtaining the title yourself
OR you might want to request the username/handle.
Once the user enters the details and clicks SUBMIT, Show a confirmation page ( preview of how the submission will be listed). Make sure to include the username/handle as the person who submitted it (This brings a sense of responsibility to the guy who submits). Remember to keep a back button to allow the user to go back and make the necessary changes ans submit again.
Allow users to create profiles on ur site (they maybe as simple as stackoverflow's profile system. here's mine for example). Unless he is logged-in, submissions posted as anonyomous. Rest same as above.
NOTE: There might be a slim possibility that, U are be being targetted by spam / captcha bots. Hence the random text entries. still. do implement the above. A better UI never hurt anyone. Right??...

Resources