I'm using monorail, activerecord, and jquery. I have a form with a zip code textbox. I have in my active record class associated to the form:
[Property]
[ValidateNonEmpty]
[ValidateRegExp(#"/^\d{5}(-\d{4})?$/", "Invalid")]
public string ZipCode { get; set; }
As you can see, I'm using the ValidateRegExp attribute, which then auto-generates jQuery validate rules. The issue is that regular expressions are different in javascript than they are in C#. Javascript requires a / before and after the regex, whereas C# does not. If I put the slashes then the jQuery validation will work, but if they bypass the javascript validation and submit the form with js disabled (or if someone saves the object through another means like a test case) then it'll say the zip code is invalid because C# doesn't like the slashes.
So my question is, how do you please both javascript and C# with one regex? I would expect it to be smart enough to add slashes before and after just for the jQuery validation so that you could specify the regex in C# without the slashes but this is not the case it seems.
You should be specifying the regular expression itself, without the surrounding / characters.
If you are having problems with the client side, it would help if you'd include the JS error you see (if any), and actual generated JS code on the page that is being written out by Monorail to your page, and also the version of Monorail you are using.
As a side note, lets look at the code generating the JS validation rule from the validation attribute in JQueryValidator.cs
the relevant piece is at line 378 (as of current version of the codebase):
"function(value, element, param) { return new RegExp(param).test(value); }"
which points to the fact that the new RegExp(expression) is used, rather than the /expression/ format.
With that - it is clear that Monorail's jquery validator integration is ok.
I'm using jQuery 1.4.2. Not sure what version of MonoRail I'm using, the Castle.MonoRail.Framework dll says v2.0.0.0. I updated it within the last 3 months though so it's fairly new. The js that you're showing indicates that you have an even newer version than me, as it generates the following for me (if no slashes included in the ValidateRegExp expression):
"user.username":{ required: true , regExp: ^[\w ]{4,50}$ }
This obviously gives a syntax error in js, as it's not wrapped in quotes or slashes. I ended up creating a new RegExp validator with AbstractValidator as the base class to get around the faulty one that is in my version of MonoRail.
Do you know if this was an issue that was fixed in the last couple of months? Otherwise I can't explain how yours generates new RegExp in js and mine does not...
Related
I have been using thymeleaf th:onclick attribute to call javascript function with parameters as below
th:onclick="|myFunction('${parameter1}')|"
But with thymeleaf 3.1.10 this has been removed. and they are suggesting to use th:data attribute.
I however found workaround on as below and both of them are working perfectly.
th:attr="onclick=|myFunction('${parameter1}')|"
th:onclick="#{myFunction('${parameter1}')}">
Now i am not sure if these workarounds are correct way to do things and if yes which one is the better way.
The first will work like you want -- however, you are bypassing the the security restriction and now your pages are vulnerable to javascript injection (which is the original reason this change was made).
The second one just plain doesn't work. It doesn't expand out the variable ${parameter1}, instead just encoding it as a url like this:
onclick="myFunction?$%7Bparameter1%7D"
You really should be doing it as shown on the page.
th:data-parameter1="${parameter1}" onclick="myFunction(this.getAttribute('data-parameter1'));"
I've been using Angular UI Router with a current project and have introduced some compound form inputs that I'd like to use as parameters in URL building for my routes. Essentially, the models I would like to parameterize are object literals, and I'm curious to know if ui-router has any ability to represent these as URL parameters.
In other parts of our application we have represented compound parameters with dot notation, e.g. ?field1.a=&field1.b=&field1.c, and I know some PHP frameworks make use of an array notation, e.g. ?field1[a]=field1[b]=field1[c] for representing multiple form fields associated with a single model.
From what I can tell, angular ui-router doesn't support similar. We are using v0.2.8, and at ~L131 there is a normalization function that will coerce object literals to their [object Object] string representation. It is this value that appears in URLs built with this kind of parameter, e.g. ?field1=[object Object].
I have considered lumping all the relevant fields together as a single parameter with a JSON string value as a workaround, e.g. ?filter={"field1":{}, "field2":{}, ...}, but wanted to check in to see if anyone has a better solution.
Thanks!
You have good timing. Typed parameter support was just merged into ui-router master. It isn't part of the 0.2.10 release, but should be part of 0.3.0 release, which is a few weeks away. If you build your own copy of bleeding-edge master and use this functionality now, please submit feedback to the ui-router project!
Here's the pull request that got merged with typed parameter support: https://github.com/angular-ui/ui-router/pull/1032
Read the docs regarding Type in https://github.com/angular-ui/ui-router/blob/master/src/urlMatcherFactory.js#L583
For example, StackExchange whitelists a subset of HTML:
https://meta.stackexchange.com/questions/1777/what-html-tags-are-allowed-on-stack-exchange-sites
How could you do that in your controller to make sure user input is safe?
This approach is not identical to StackExchange, but I found the AntiXSS 4.x library to a simple way to sanitize the input to allow "safe" HTML.
http://www.microsoft.com/en-us/download/details.aspx?id=28589 You can download a version here, but I linked it for the useful DOCX file. My preferred method is to use the NuGet package manager to get the latest AntiXSS package.
You can use the HtmlSanitizationLibrary assembly found in the 4.x AntiXss library. Note that GetSafeHtml() is in the HtmlSanitizationLibrary, under Microsoft.Security.Application.Sanitizer.
content = Sanitizer.GetSafeHtml(userInput);
This can be done before saving to the database. The advantage is removing malicious content immediately, and not having to worry about it when you output it. The disadvantage is that it won't handle any existing database content, and you do have to apply this any time you're making database updates.
The alternate approach is to use this method every time you output content.
I'd love to hear what the preferred approach is.
You can try JSoup parser which along with sanitizing your HTML input will also provide many functionalities out of the box.
You can visit http://jsoup.org/ for more details on the JSoup and download the binary from there.
It provides DOM method to traverse through your HTML tree and get desired elements.
Although sanitizing your HTML generated code to prevent XSS attack is a goodd practice, but I would strongly advise to avoid using any parser to avoid XSS attach by sanitizing your HTML input.
If your HTML tree is very big then the response time would increase manifold.Instaed of sanitizing your HTML tree you should ensure that whatever user is entering in the FORM is proper and as per the expected value.
You can visit www.owasp.org to know more about how to avoid XSS attack.The site provides you possible cheat sheets to ensure your HTML tree is free from any XSS attack.
ASP.NET HttpUtility.Htmlencode() makes it for you.
But if you want to block dangerous scripts, first DO NOT insert it to your database. First, clean the HTML Text before inserting to database.
I found a class that do it for you: http://eksith.wordpress.com/2012/02/13/antixss-4-2-breaks-everything/
It works fine and you can add new tags and attributes to custom whitelist of the Sanitizer.
Note: Microsoft Sanitizer and Anti-XSS Library was not useful for me. May be you can also try them.
I am using Codeigniter form validation. In my registration form the Username field allows only numbers like 123456. I don't want this to happen.
My validation rule is as follows
'rules'=>'trim|required|alpha_numeric|min_length[6]|xss_clean'
I want to prevent users entering just numeric strings. Alpha numeric strings are fine, alpha strings are fine, but purely numeric ones are not.
To allow only letters
Add alpha to your rules and remove alpha_numeric from your rules
You can use this page as a point of reference for built in validation rules.
Edit:
Since you've clarified now.
To achieve this, there's no built in validation rule. You will need to extend the Form_validation library by creating a libraries/MY_Form_validation.php file. See this manual page on how to extend libraries.
In this file, create the following function
function at_least_one_letter($string) {
return preg_match('#[a-zA-Z]#', $string);
}
Then you can add the validation rule at_least_one_letter to your rules.
According to the codeigniter user manual :
You can also use any native PHP functions that permit one parameter.
I think in this case is_int could be used as your validation rule.
So, for instance:
'rules'=>'trim|required|is_int|min_length[6]|xss_clean',
I am using the MS shipped client side validation in asp.net mvc 2. The model in question has one property called "FirstName". Our client side developer really like to have camel-case in the elements id, so instead of using the normal html helper Html.TextBoxFor(m => m.FirstName), we wrote out the html input view instead like: <input type="text" id="firstName" name="firstName" />. The model binder can bind correctly and get the right valud ( I guess it was not case sensitive, which is a good thing). However, when we turn on client side valuation and issue a Html.ValidateFor(m => m.FirstName) at the end, it still generates the Pascal-case format of the property (which is expected).
I look into the mvc 2 source code reveils that ValidateFor() calls ModelMetadata.FromLambdaExpression(expression, htmlHelper.ViewData) which in turn uses MemberExpression to get the property name (which is pascal case). I am wondering if there is way around this? The ultimate goal is to have camel-case ID is the elements of the html and still have both client and server side validation works.
Any help is appreciated.
My $0.02: Pick a casing and make the view model match the page. Both C# and JS are case-sensitive, and attempting to mix cases won't end well. One of you is going to have to change case. You could probably work around this specific issue, but it won't be the end of your problems.