I'm using HTMLpurifier to sanitize inputs in my PHP application:
I have CC and BCC inputs something like:
Test Admin <test#domain.com>
when I do purify this string, it only keeps: Test Admin (without email between tags)
Please advise!
This probably means you've got an escaping issue somewhere in your pipeline before HTML Purifier - something that's putting E-Mail text into an HTML context without HTML escaping it. HTML you need to purify that looks like this:
<p><label for "id">Email</label><span id="email">Test Admin <test#domain.com></span></p>
...should really look like this:
<p><label for "id">Email</label><span id="email">Test Admin <test#domain.com></span></p>
If you have no control over the step that's inserting data into the HTML you ultimately want to purify before displaying, you can use this to preprocess your HTML before feeding it to HTML Purifier:
$htmlWithEmail = preg_replace('/<([^<>#]*#[^<>#]*)>/', '<${1}>', $htmlWithEmail);
On the other hand - and I mention this because I know only a little bit about your use-case right now - if you're not actually trying to preserve HTML, if the string you're purifying is literally just Test Admin <test#domain.com> with nothing else (unlike the example I crafted above), htmlspecialchars() should be your weapon of choice when outputting into HTML, not HTML Purifier.
HTML Purifier's purpose is not all-purpose data sanitation, it really does exist only for the use-case where you have HTML, you want to preserve it if it's well-behaved, and then output it as HTML. You can find some more info about escaping for context here: https://stackoverflow.com/a/37641037/245790
Related
In python-sphinx there is the only directive, which can be used to conditionally influence the document according to its output. For instance text appears in html or latex only.
It is use like this:
.. only:: not latex
Here there is some Text, that does not appear in latex output.
.. only:: html
Here there is some Text, that only appears in html output.
How can I use the role directive in the right way to use the only-class inline, let's say like this:
Here there is some Text, that :only-notlatex:`does not appear in latex`:only-html:`only appears in html`.
I saw something similar for the raw directive. Is this also possible for the only directive? I tried:
.. role:: only-html(only)
:format: html
.. role:: only-notlatex(only)
:format: not latex
But this does not work.
Directives work on blocks of text (whole paragraphs); roles are for inline text (within paragraphs).
You mentioned raw, and there is indeed both a directive and a role with that name, for "raw data pass-through".
But there is no built-in role that is the inline equivalent of the only directive. You will have to create your own custom role for this purpose. I can't provide any detailed instructions, but here is an article that can help you get started: http://doughellmann.com/2010/05/09/defining-custom-roles-in-sphinx.html.
I have an insecure string from the user that I want to display.
I want a few html-tags like < strong > (without spaces) to work.
All other html should be displayed like it was typed in (that is < should be replace with & lt; and so on)
I'm pretty sure I can use ngSanitize to do this but I can't figure out how.
$compileProvider allows you to set up sanitization "whitelists" for HREF and SRC URLs:
app.config(function($compileProvider) {
var imgSrcSanitizationWhitelist = /^\s*(https?|ftp|file):|data:image\//;
$compileProvider.imgSrcSanitizationWhitelist(imgSrcSanitizationWhitelist);
});
However, the whitelists for "safe" tags are hard-coded and can't be changed the same way. You can see the list here in the source:
https://github.com/angular/angular.js/blob/master/src/ngSanitize/sanitize.js#L186
There is an open request to enhance this functionality:
https://github.com/angular/angular.js/issues/5900
But it has not been completed (yet).
In the meantime, you have a few options:
"Fork" the project and adjust ngSanitize to suit your purposes. Most people don't like to "hack core" in this way, but it's the whole point of Open Source to be able to do things like this. This module doesn't change so much that it would be that hard to keep it relatively up to date as you develop your project.
Live with the list defined there. Most of the time you find that this list is actually pretty good, and it's just that IMG or A HREF tags are broken. That's not because the tag is filtered - that's because THOSE are white-listed separately, and you can use the technique above to accept specific URLs into each of those tags as "safe".
By the way, there is now a possibility.
Could anyone tell me if there's some way of "hooking in" to DotNetNuke so that I can, for example, search and replace text for ALL HTML modules on the site?
e.g. if I use an HTML editor and enter the text {{replace_me}}, then I could have some code that detects "{{replace_me}}" every time a page is rendered and replace it with something else.
Please note that this is a simple example - there may be other ways of "replacing" text - however the actual use case we have is very specific and there will be some significant processing to decide what to replace :) - so whatever solution we implement should basically be:
Get HTML from DB -> Process it however we wish in full C# -> Deliver the modified string.
Thanks!
I believe you can do this with the use of an HTTPModule. Ifinity.com.au used to sell a module that did this, looks like you might be able to download it now for free (maybe?) at http://www.ifinity.com.au/Products/Inline_Link_Master/Product_Details
I am using w3c validator with html5. I have an array afilter[]=abc I am passing in the href and I have tried escaping the brackets as follows:
<a href='slideshowform.php?x=y&afilter[]=abc'>phases of matter</a>
But I am still getting the error:
Bad value slideshowform.php?x=y&afilter[]=abc for attribute href on element a: Illegal character in query component.
How can I pass an array without getting errors - or did I escape the brackets incorrectly?
You have to URL encode it, not HTML encode it. Your URL would have to look like the following:
slideshowform.php?x=y&afilter%5B%5D=abc
Most programming languages have stuff like this built in (e.g. rawurlencode() in PHP or encodeURI in JavaScript) or you can simply use an online service like (no affiliation, just one of the first search results) http://www.url-encode-decode.com/
Of course it’s a good idea to encode the HTML reserved characters for outputting the link in an HTML document as well. So you’d end up with the following URL within your HTML document.
slideshowform.php?x=y&afilter%5B%5D=abc
I was watching some videos on Egghead.io about AngularJS. The creator of the videos uses Webstorm (and, I believe, works for them). One feature I noticed is that he can set different syntax highlighting within different scopes or quotation marks. So, in code like the following (from an AngularJS directive)
return {
template: '<div>something</div>',
// ^^^ these guys ^^^
}
...he can get the inside of the quotation marks to highlight as HTML.
I use Sublime Text 2, and am fairly wedded to it. Is there an existing feature/plugin for Sublime that could handle a case like this? If not, is something like this technically possible using the Sublime Text 2 API?
I don't think it's built in, but it's certainly possible. I've been doing some work with graphviz and wanted to do something similar. Labels can be generated with html like syntax. Anyways, I played around with the .tmLanguage file and added a new pattern to match the context where html like entries were valid (I look for label = <). The patterns I used for the captures aren't that good, but it works for fine for me. This give me the following, which I think is similar to what you are looking for.
I don't know anything about AngularJS, so I can't help you with anything specific to that, but it is certainly possible. Note that in the image below, the last <table></table> are just to show that highlighting doesn't occur there.
Edit:
Forgot to include this in the original post, but here is my updated tmLangauage file. That first pattern is what I added(link). I used PlistJsonConverter to go from JSON to plist, then saved the file as .tmLanguage. Hope this helps.
#skuroda is right, I implemented #skuroda's code with an additional plugin to easily edit HTML within an AngularJS directive JS file. The result is HTML syntax highlighting within a directive JS file and additional functionality to remove string related delimiters while editing templates.... Sublime AngularJS HTML Template Plugin