Allowing local URL in Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment - antixsslibrary

Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment seems to strip all link into <a>link</a>
Is there anyway to preserve local URL, e.g. <a href="/Product/1"> when passing it into Sanitizer.GetSafeHtmlFragment?
Note: I'm using AntiXSS 4.2.1

The AntiXSS library has been broken for a few months now. There's no way around this problem, unfortunately. Either you rollback to a previous version, or search for something else to use.

Related

Href opening link in http://localhost:3000/LINK rather than opening the link seprately [duplicate]

I just have created primitive html page. Here it is: example
And here is its markup:
www.google.com
<br/>
http://www.google.com
As you can see it contains two links. The first one's href doesn't have 'http'-prefix and when I click this link browser redirects me to non-existing page https://fiddle.jshell.net/_display/www.google.com. The second one's href has this prefix and browser produces correct url http://www.google.com/. Is it possible to use hrefs such as www.something.com, without http(s) prefixes?
It's possible, and indeed you're doing it right now. It just doesn't do what you think it does.
Consider what the browser does when you link to this:
href="index.html"
What then would it do when you link to this?:
href="index.com"
Or this?:
href="www.html"
Or?:
href="www.index.com.html"
The browser doesn't know what you meant, it only knows what you told it. Without the prefix, it's going to follow the standard for the current HTTP address. The prefix is what tells it that it needs to start at a new root address entirely.
Note that you don't need the http: part, you can do this:
href="//www.google.com"
The browser will use whatever the current protocol is (http, https, etc.) but the // tells it that this is a new root address.
You can omit the protocol by using // in front of the path. Here is an example:
Google
By using //, you can tell the browser that this is actually a new (full) link, and not a relative one (relative to your current link).
I've created a little function in React project that could help you:
const getClickableLink = link => {
return link.startsWith("http://") || link.startsWith("https://") ?
link
: `http://${link}`;
};
And you can implement it like this:
const link = "google.com";
<a href={getClickableLink(link)}>{link}</a>
Omitting the the protocol by just using // in front of the path is a very bad idea in term of SEO.
Ok, most of the modern browsers will work fine. On the other hand, most of the robots will get in trouble scanning your site. Masjestic will not count the flow from those links. Audit tools, like SEMrush, will not be able to perform their jobs

Set default date for zul datebox

I inherited a legacy website written in old zul and have to add new datebox component for birthday datepicker.
Have added a constraint to accept dates before a given date but that triggers an error alertbox from start as the date presented/selected by default on the datepicker is today.
I wouldn't want to use a workaround but to all due respect it seems like this is something over the top feature I'm looking for in zk's reality:
The main showcase for zul does include a birthday datebox, but pretty lame as it doesn't contain any constrain on age.
There is zk fiddler to show how the before constrain works, but that just proves my point that it doesn't select the first proper date for default date at least, if there is no clean way of setting it.
There is forum post that proposes a workaround to set the default year, so Zk is most probably incapable of doing this without a workaround.
There is an open ZK Jira issue from 2017 that addresses somewhat this issue, with a proposed solution pretty much the same as the workaround mentioned in the above point - so the hope is kinda lost, have to go on the workaround route.
I did try that workaround (after the forum post, as that has default year), but the workaround doesn't work for me. It does execute the
this.setValue(initialDate);
And I see that the value is set into the datebox's _pop/_value and _pop/_end nodes but no difference is visible on the datepicker box, still today is preselected altough it is greyed out - so no effect.
Still, when I try it in a fiddle with version 6.5.8.1, the oldest engine that exists, it does work, but not locally with v5.0.11.
In the buglist for this version there is no mention of datebox. Tried to look into to some bugs that might be interfering but turns out it was just another episode of me wasting time with this.
Tried in the 5.0.11 sandbox and it doesnt work with that version. The structure of how I use it is imitated in the linked fiddler. Hints on a workaround that works on this version?
ZK 5.0.11 is a bit on the older side currently, so it might not accept exactly the same overrides as later versions. If I understand the issue correctly, it boils down to either
1 - setting a value before Datebox is rendered to have a "initial date" opened in calendar.
I'd say that's the easy way out, since you can use either composing or databinding to set the value of the datebox during page rendering. Here's a small sample using databinding and zscripts, but the same logic should apply from composer with setValue(). You mentioned that this doesn't work for you locally with 5.0.11 though. Can you share the code that you are using for this? Sample code here in fiddle I can run it on local 5.0.11, and it set the date before popup is opened.
or
2 - setting an initial date (which doesn't affect the selected value) but would be the target for the opened calendar.
This is not a default ZK 5 behavior for datebox. If you want that effect, you would need to customize it using an override script. Simplest way in can think of in ZK 5 is to use the open event of the datebox popup here's an example of what it would look like (package in a script tag in a single page for the example, would use a global js file for real deployement) example here

Manual summary separator becomes HUGOMORE42 with blogdown

I just updated my version of hugo to 0.53 (from a rather old 0.21) and one of the consequences of the update is that string
<!--more-->
that was previously used for identifying the end of the blog post summary is now replaced with the string HUGOMORE42. Also, the summary end is not correctly triggered.
Can anyone point me in a direction to fix this? If I downgrade to an earlier version of HUGO then the problem disappears, so I'm guessing it is an identifier that was changed along the way.
I tried with my old version of the default hugo-lithium-theme and with another theme. It might be a problem with the theme, but if that is the case where can I fix that? (I have various local modifications of the theme in layouts that might be the culprits).
Googling HUGOMORE42 yield quite a number of webpages that appear to have the same problem so that is not that useful.

gmaps geometa.js not found?

I'm using a plugin which calls http://gmaps-samples-v3.googlecode.com/svn/trunk/geolocate/geometa.js for displaying map with pins on the homepage. However, this link is not found (404). I've searched for the solution too see what to do, but with no luck.
Is there a new version of this javascript available that I could replace this link with the new one? Not sure how else to put it and hope it makes sense.
Not Certain but I think this is the file.
http://pastebin.com/D22BSvb8
EDIT: Think this is the most upto date version: http://pastebin.com/GHpyPTQE

How to use $header in routes

I'm creating a route using the Java DSL in Camel.
I'd like to perform a text substitution without creating a new processor or bean.
I have this:
.setHeader(MY_THING,
constant(my_template.replace("{id1}", simple("${header.subs_val}").getText())))
If I don't add 'constant' I get type mismatch errors. If I don't put getText() on the simple() part, I get text mismatch answers. When I run my route, it replaces {id} with the literal ${header.subs_val} instead of fetching my value from the header. Yet if I take the quotes off, I get compile errors; Java doesn't know the ${...} syntax of course.
Deployment takes a few minutes, so experiments are expensive.
So, how can I just do a simple substitution. Nothing I am finding on the web actually seems to work.
EDIT - what is the template? Specifically, a string (it's a URL)
http://this/that/{id1}/another/thing
I've inherited some code, so I am unable to simply to(...) the URL and apply the special .tof() (??) formatting.
Interesting case!
If you place my_template in a header you could use a nested simple expression(Camel 2.9 onwards) like in the example below. I am also setting a value to subs_val for the example, but I suppose your header has already a value in the route.
.setHeader("my_template", constant("http://this/that/{id1}/another/thing"))
.setHeader("subs_val",constant("22"))
.setHeader("MY_THING",simple("${in.header.my_template.replaceAll(\"\\{id1.?\",${in.header.subs_val.toString()})}"))
After this step header MY_THING has the value http://this/that/22/another/thing.
1)In this example I could skip to_String() but I do not know what's the type of your header "subs_val" .
2) I tried first with replaceAll(\"\{id1\"}\") but it didn't work with } Probably this is a bug...Will look at it again. That's why in my regex I used .?
3) When you debug your application inside a processor, where the exchange is available you can use SimpleBuilder to evaluate a simple expression easily in your IDE, without having to restart your app
SimpleBuilder.simple("${in.header.url.replaceAll(\"\\{id1.?\",${in.header.subs_val.toString()})}").evaluate(exchange, String.class);
Hope it helped :)

Resources