I take user input into a text area, store it and eventually display it back to the user.
In my View (Razor) I want to do something like this...
This doesn't work because Razor Html Encodes by default. This is great but I want my line breaks.
If I do this I get opened up to XSS problems.
What's the right way to handle this situation?
<input id='hiddenId' type='hidden' value='chalk & cheese' />
gets pulled into
<input type='text' value='chalk & cheese' />
via some jQuery to get the value from the hidden field (it’s at this point that I lose the encoding):
The problem is that when I read
', I want the encoding to remain.
I know that this has been discussed many times, but I have a different type of question. I am seeing an error in my event viewer "A potentially dangerous Request.Form value was detected from the client (content=..."
What I do NOT want to do is to turn off validation such as this post:A potentially dangerous Request.Form value was detected from the client
So I do NOT want to do these:
The issue itself is that these errors are coming from clients usually in groups of about 10. What happens is that a certain IP address will send these type of messages for a few minutes, and then stop, and then a different IP address will start the attack again in a few hours. To me it seems that a virus has taken over these computers and the virus is using them to attack my site.
The strange part is that the form in question is an error page to catch when user goes to a page that is not found (404 error). The "virus" is trying to go to a guestadd.asp page, which I don't have. There is no input field with the name "content", so am confused as how to validate a non-existing field. (Unless I am just missing it).
My question is how can I prevent this so that it does not allow it to submit? What am I doing wrong? I am able to block any info coming out, but this is quite annoying, and I don't want to be vulnerable to attack. I can post code if requested.
I'm working on an e-shop. At some point in my code I have to show attributes and descriptions for many products in a single page.Attributes are a table and description can contain simple text and table,li,br tags etc...These which are stored in the database as html encoded string. So in my php file I load them from the db and decode them like this.
$description=html_entity_decode($description_from_db, ENT_QUOTES, 'UTF-8');$attributes=html_entity_decode($attributes_from_db, ENT_QUOTES, 'UTF-8');
Later on I just do
echo $description; an they are shown properly. All this HAS TO BE PRINTABLE and here comes the challenge.
When the attributes table and the description are long enough the exceed the printable page height and they get cut in half looking realy ugly. What I want to do is split the $description and $attributes strings and echo them with page breaks between the pieces where neccesary. The problem is that this must be done with respect to the tags inside these strings. I can't for example break the string in the middle of a tr tag.
Is there a way to break these strings maintaining the html elements that they contain intact ? I'm thinking it must be possible since html editors show a warning when a tag has been left unclosed.
I want this string:
"HartnÃ¤ckigkeit zahlt sich aus"
Getting converted to this:
Hartnäckigkeit zahl sich aus
I tried this:
html_entity_decode( "HartnÃ¤ckigkeit zahlt sich aus", ENT_COMPAT, 'UTF-8')
But did not succeed.