I am using w3c validator with html5. I have an array afilter[]=abc I am passing in the href and I have tried escaping the brackets as follows:
<a href='slideshowform.php?x=y&afilter[]=abc'>phases of matter</a>
But I am still getting the error:
Bad value slideshowform.php?x=y&afilter[]=abc for attribute href on element a: Illegal character in query component.
How can I pass an array without getting errors - or did I escape the brackets incorrectly?
You have to URL encode it, not HTML encode it. Your URL would have to look like the following:
slideshowform.php?x=y&afilter%5B%5D=abc
Most programming languages have stuff like this built in (e.g. rawurlencode() in PHP or encodeURI in JavaScript) or you can simply use an online service like (no affiliation, just one of the first search results) http://www.url-encode-decode.com/
Of course it’s a good idea to encode the HTML reserved characters for outputting the link in an HTML document as well. So you’d end up with the following URL within your HTML document.
slideshowform.php?x=y&afilter%5B%5D=abc
Related
I'm using HTMLpurifier to sanitize inputs in my PHP application:
I have CC and BCC inputs something like:
Test Admin <test#domain.com>
when I do purify this string, it only keeps: Test Admin (without email between tags)
Please advise!
This probably means you've got an escaping issue somewhere in your pipeline before HTML Purifier - something that's putting E-Mail text into an HTML context without HTML escaping it. HTML you need to purify that looks like this:
<p><label for "id">Email</label><span id="email">Test Admin <test#domain.com></span></p>
...should really look like this:
<p><label for "id">Email</label><span id="email">Test Admin <test#domain.com></span></p>
If you have no control over the step that's inserting data into the HTML you ultimately want to purify before displaying, you can use this to preprocess your HTML before feeding it to HTML Purifier:
$htmlWithEmail = preg_replace('/<([^<>#]*#[^<>#]*)>/', '<${1}>', $htmlWithEmail);
On the other hand - and I mention this because I know only a little bit about your use-case right now - if you're not actually trying to preserve HTML, if the string you're purifying is literally just Test Admin <test#domain.com> with nothing else (unlike the example I crafted above), htmlspecialchars() should be your weapon of choice when outputting into HTML, not HTML Purifier.
HTML Purifier's purpose is not all-purpose data sanitation, it really does exist only for the use-case where you have HTML, you want to preserve it if it's well-behaved, and then output it as HTML. You can find some more info about escaping for context here: https://stackoverflow.com/a/37641037/245790
I'm creating a route using the Java DSL in Camel.
I'd like to perform a text substitution without creating a new processor or bean.
I have this:
.setHeader(MY_THING,
constant(my_template.replace("{id1}", simple("${header.subs_val}").getText())))
If I don't add 'constant' I get type mismatch errors. If I don't put getText() on the simple() part, I get text mismatch answers. When I run my route, it replaces {id} with the literal ${header.subs_val} instead of fetching my value from the header. Yet if I take the quotes off, I get compile errors; Java doesn't know the ${...} syntax of course.
Deployment takes a few minutes, so experiments are expensive.
So, how can I just do a simple substitution. Nothing I am finding on the web actually seems to work.
EDIT - what is the template? Specifically, a string (it's a URL)
http://this/that/{id1}/another/thing
I've inherited some code, so I am unable to simply to(...) the URL and apply the special .tof() (??) formatting.
Interesting case!
If you place my_template in a header you could use a nested simple expression(Camel 2.9 onwards) like in the example below. I am also setting a value to subs_val for the example, but I suppose your header has already a value in the route.
.setHeader("my_template", constant("http://this/that/{id1}/another/thing"))
.setHeader("subs_val",constant("22"))
.setHeader("MY_THING",simple("${in.header.my_template.replaceAll(\"\\{id1.?\",${in.header.subs_val.toString()})}"))
After this step header MY_THING has the value http://this/that/22/another/thing.
1)In this example I could skip to_String() but I do not know what's the type of your header "subs_val" .
2) I tried first with replaceAll(\"\{id1\"}\") but it didn't work with } Probably this is a bug...Will look at it again. That's why in my regex I used .?
3) When you debug your application inside a processor, where the exchange is available you can use SimpleBuilder to evaluate a simple expression easily in your IDE, without having to restart your app
SimpleBuilder.simple("${in.header.url.replaceAll(\"\\{id1.?\",${in.header.subs_val.toString()})}").evaluate(exchange, String.class);
Hope it helped :)
Let's say we are passing data from apache velocity to angularjs and the data is some string that contain quotes,
the error on screen:
Error: [$parse:lexerr] http://errors.angularjs.org/1.2.22/$parse/lexerr?
p0=Unterminated%20quote&p1=s%20327-
my code :
<span ng-init='draftDemands=$draftDemands;'>
how to solve this problem
When i use $esc.xml($draftDemands), it work my last example,
Are you escaping characters in Velocit's generated code? https://velocity.apache.org/tools/2.0/apidocs/org/apache/velocity/tools/generic/EscapeTool.html
Check also how angular does escaping via: Strict Contextual Escaping. So there is no need to render characters as HTML explicitly.
This discussion could put some more light on the case.
This should also work: how to pass special characters into ng-init in angularjs from python
Two questions:
I have been reading docs and SO posts.. and know how to do it the long way (defining each and every element and attribute myself), but all I want to do is add 2 or 3 attributes to the default whitelist.. so that I do not have to constantly find and add more elements/attributes to, e.g., HTML.AllowedElements and/or HTML.AllowedAttributes.
Specifically, now, (for internal trusted users) I need to allow javascript attributes (input from tinymce). Question #1.) Is there a way to just add an attribute (to what HTMLpurifier allows) without causing the whole default sets of allowed elements/attributes to be effectively wiped out (overwritten by ONLY what is explicitly written in HTML.AllowedElements or HTML.AllowedAttributes)?
For what I need right now (the javascript attributes), I got excited when I saw in this thread:
Whitelist Forms in HTML Purifier Configuration
...where Edward Z. Yang says, "... [$config->set('HTML.Trusted', true);] allows JavaScript."
...but even after setting this: $config->set('HTML.Trusted', true);, HTMLpurifier 4.4.0 is still stripping e.g. any input onclick="dostuff();" attribute. Why? Question #2.) Is there a quick way to add just the javascript attributes to the allowed list?
You're losing onclick because HTML Purifier doesn't know about that attribute, and if HTML Purifier passed everything through when you turned on %HTML.Trusted you might as well just not use HTML Purifier at all.
HTML Purifier has attribute collections for just this case; 'Common' is probably the right one to insert them into.
But... why? The real name of %HTML.Trusted really should be %HTML.UnsafeMakeMyApplicationVulnerable
HTMLPurifier does not support onClick and similar java script related attributes to any HTML element as a default behaviour.So if you wish to allow such attribute any way, you may add such attribute to specific element in following way.
$config = HTMLPurifier_Config::createDefault();
$def = $config->maybeGetRawHTMLDefinition()
$def->addAttribute('a', 'onclick', 'Text');
But be careful, this may lead to xss attack as you are allowing any java script code to be there in that attribute.
I'm trying to have a mailto: body with multiple paragraphs and a URL. I should probably note this is for a mobile web application.
Is there a reason why I can't use \n (even inside JavaScript strings) for new lines? Instead, I'm using %0D%0A.
I'd like to enclose my URL in <>'s so email clients can properly identify it as a URL, but when I try to do that the entire URL doesn't show up at all in the body. Is it being escaped, or something? How do I fix this/use <>'s to wrap it?
Thanks!
have you tryed encoding the values with javascript?
eg
<a href="demo#email.com?subject='+encodeURI('emailSubject')+'&body='+encodeURI('emailBody')+'">