ansaurus

Question

string replacement in page created from template

Answer 1

A:

If they include a double quote in their string, that will not inject arbitrary HTML, but arbitrary code, which is even worse.

You can use a regex to filter the input string. I would use an inclusive regex rathern than trying to exclude dangerous chars. Only allow them A-Za-z0-9 and whitespace.

Jason Coyne 2009-07-08 19:10:59

You're right, they can insert either code or html, either one.As in my comment to the other answer, I can't get it into a variable to begin with, so it's hard to process it after the fact.This operation will be done by logged-in users, not the public, so it may just be something I can live with. But I was hoping there was a way around this just to avoid crabbing from the IT staff.

Clyde 2009-07-08 19:26:38

do you not control the code that applies the variables to the template?

Jason Coyne 2009-07-09 03:57:09

Answer 2

A:

Not sure i understand fully, but...

Try using a regex to strip html from the title instead of html encoding it:

public string StripHTML(string text)
{
    return Regex.Replace(text, @”<(.|\n)*?>”, string.Empty);
}

Is this possible?

<% 
  string title = Regex.Replace(@"${title}", @”<(.|\n)*?>”, string.Empty);
%>

or

<title><%=HttpUtility.HtmlEncode(System.Text.RegularExpressions.Regex.Replace(title, @"<(.|\n)*?>", string.Empty)) %></title>

BigBlondeViking 2009-07-08 19:13:04

And how do I safely get the template-replaced text into the variable 'text'? That's the whole problem!

Clyde 2009-07-08 19:24:01

How are the end users creating the templates? why can you filter the content on save instead of on display?

BigBlondeViking 2009-07-08 19:35:15

I'm creating the template -- the code in my question is code I have control over.They're pushing a button saying, "Create a new file from template" and they get a form where they can fill in the 'title'. The file that's created gets a copy of the template file with all the ${} tags replaced.

Clyde 2009-07-08 19:37:42

I would still do processing on the form submit, if possible so is inst done every time the page is rendered.

BigBlondeViking 2009-07-08 19:51:04

Answer 3

A:

Take a look at this article...

http://msdn.microsoft.com/en-us/library/a2a4yykt.aspx

JeffWask 2009-07-08 19:42:18

Misses the point. Once I have the data in a C# string variable, then of course I can HtmlEncode or HtmlAttributeEncode or whatever. You can see that right in my question. The difficult part is, how do I structure the template so that when the template is instantiated, the simple string replacement for template parameters leads to code that is, or can be properly escaped. I'm suspecting at this point that it isn't possible.

Clyde 2009-07-08 19:52:46

Answer 4

+1 A:

Can you store their values in another file(xml maybe) or in a database? That way their input is not compiled into your page. Then you just read the data into variables. Then all you have to worry about is html, which your html encode would take care of.

Ted Elliott 2009-07-09 01:36:08

This seems like the only way it could work -- the value gets put in some kind of holding area and then a separate process reads and injects it into the aspx template.

Clyde 2009-07-09 11:57:45

ansaurus

tags:

views:

answers:

string replacement in page created from template

related questions