I have an ejs file in my sails application that looks like this
<a href='/<%= viewname %>?where={"name":"<%= profile.pname %>"}'>
This works for most of the names with the exception of one that has an apostrophe in it. Essentially EJS parses the apostrophe as a sing quote which closes the href and makes the name I'm passing incorrect
http://localhost:1337/myviewnamwe?where={"name":"tom
where it should be
http://localhost:1337/myviewnamwe?where={"name":"tom's diner}
I would use URL encoding for the critical part: {"name":"<%= profile.pname %>"}
More info:
http://www.ruby-doc.org/stdlib-1.9.3/libdoc/uri/rdoc/URI/Escape.html
http://www.w3schools.com/tags/ref_urlencode.asp
Related
I am trying to print a NodeJS object as simple json in EJS template file.
I am defining the object in NodeJs and trying to print it in EJS file like this:
<%= JSON.stringify(objName) %>
This is encoding double quotes (") is some format and giving me output like this:
{"_id":"5c3587b78ff1928c5124bf6d","name":"Sourabh Bajaj","role":10,"roleName":"InstituteAdmin","mobileNumber":"+919166677890","email":"sorbhb#gmail.com","mobileVerified":true,"emailVerified":true,"instituteId":"5c3586308ff1928c5124bf24","passwordResetKey":"","success":true,"errorCode":200};
If I don't stringify it, it give me [Object object] as output.
Found the answer. EJS template somehow encodes double quotes when you use <%= %>.
If you don't want that, use <%- %> tags instead.
Regarding heist, I've got a template such as:
<script>
var json = ???;
</script>
<h1>Example</h1>
Is there a way to substitute the ??? string with another string?
I think the following function might be the solution https://hackage.haskell.org/package/heist-1.0.1.0/docs/Heist-Splices-Json.html#v:bindJson but I have difficulty understanding that function and or what markup to use in the template.
No. You cannot substitute anything inside a <script> tag because the text inside a script tag is not treated as HTML. It's treated as plain text. If this was not done, you wouldn't be able to write JS code like if ( x < 42 ) because the less than would get treated as the beginning of a tag.
A seemingly straightforward question I cannot seem to crack. I am retrieving escaped & sanitized html from a database and I want to unescape it and render it as html in Jade. I have seen this jade html escaped string question, but the answer is NOT what I want. In the answer to this question the tag is rendered as a string, and NOT as markup. I specifically want the escaped string to be rendered as markup. I have tried the following with the following results.
var escapedstring = '<p>Some Textlt;/p>';
In Jade...
1. div=escapedstring renders <div><p>Some Text</p></div>
2. div!=escapedstring renders <div><p>Some Text</p></div>
3.div
!{escapedstring} renders <div><p>Some Text</p></div>
4.div
#{escapedstring} renders <div><<p>Some Text</p>><!--<p>Head Lease</p>--></div>
Using unescape(escapedstring) produces the same results. Can someone show me what I am doing wrong please?
TIA
For anyone else who comes here, this is what I did. Many thanks to stdob who commented. I have a module called viewhelpers which I add to the locals object globally as a property called vh so that it is available to the jade views. I then npm install a module called html-entities (https://www.npmjs.com/package/html-entities). Then in my viewhelpers I added these two lines..
var ent = require('html-entities').XmlEntities;
module.exports.decode = ent.decode;
Then in my view I can simply use
div!= vh.decode(tenancynote.note)
Hope this helps someone.
Say I want to maliciously call a function which is already defined, myfunc().
How could I achieve xss attack bypassing double quote and angle brackets escaping?
<h2>Profile of INPUTNAME</h2><p>INPUT2</p>Homepage
(The upper case fields are user inputs)
How could I call myfunc() without adding the script tags around it?
(Un)fortunately it appears that XSS won't be possible in this instance.
If angle brackets and double quote characters are escaped, this is enough to prevent XSS in HTML body and double quoted entity value contexts.
Technically under the XSS Experimental Minimal Encoding Rules for HTML body, the & character should be encoded too, but I can't see a way here to use that to the attacker's advantage either in the HTML body or within the entity value.
The only exception to this is if the character set was specified as UTF-7 (or as the attacker you could change it to such) then you could use the following attack:
INPUTNAME = +ADw-script+AD4-myfunc()+ADw-/script+AD4-
this would be rendered as
<h2>Profile of <script>myfunc()</script></h2><p>INPUT2</p>Homepage
You can try these injections
INPUTNAME=<img src=X onerror=myfunc>
INPUTURL="><img src=X onerror=myfunc>
which will try to call the myfunc javascript function since it will fail to load the image named X
Try this injection: <a href="javascript:myFunc();">;
when someone clicks on the link, the code gets run.
If you want to pass string parameters, use slashes (like /string/ vs "string")
I have a markdown file (utf8) that I am turning into a html file. My current setup is pretty straight forward (pseudo code):
var file = read(site.postLocation + '/in.md', 'utf8');
var escaped = marked( file );
write('out.html', escaped);
This works great, however I've now run into the issue where there are special characters in the markdown file (such as é) that will get messed up when viewed in a browser (é).
I've found a couple of npm modules that can convert html entities, however they all convert just about all convertable characters. Including those required by the markdown syntax (for example '#' becomes '#' and '.' becomes '.' and the markdown parser will fail.
I've tried the libs entities and node-iconv.
I imagine this being a pretty standerd problem. How can I only replace all strange letter characters without all the markdown required symbols?
As pointed out by hilarudeens I forgot to include meta charset html tag.
<meta charset="UTF-8" />
If you come across similar issues, I would suggest you check that first.