asp.net - How should I store comments in database so that I can efficiently display them on page as html text? -


i have form use enters multiple line of texts in text area. of lines can have html markups well. 1 line bold.

how should save text in database? should store them this?

this greap post <br/> love type of findings. <br/> <br/> sharing

or this?

this greap post &lt;br/&gt; love type of findings. &lt;br/&gt; &lt;br/&gt; sharing

during editing: must show text entered. line break replaced new line way use sees there line break. textarea won't unserstand br markup

during displaying: must render text appears on page:

this greap post  love type of findings.   sharing

i want know cleanest way store text can have markup in them.

thanks help

since want output html, have store input in it's raw format in database. there 1 catch though. never should trust input, since input evil, in case, since outputting html directly inputted, opens possibility of cross-site scripting (xss) attack.

you have got 2 options:

  1. use html sanitizer let's remove tags not known safe. sanitizer 1 comes microsoft antixss toolkit.

  2. encode input , decode parts of result known safe, instance:

string[] safelist = { "<br/>", "<b>", "</b>", "<i>", "</i>" };  public static string encodeinputwithsafelist(string unsafeinput) {     // first: encode complete input.     string safeinput = encoder.htmlencode(unsafeinput);      // next: decode each tag known safe.     foreach (string safetag in safelist)     {         string encodedtag = encoder.htmlencode(safetag, false);         safeinput = safeinput.replace(encodedtag, safetag);     }      return safeinput; }

note: example uses encoder class microsoft antixss toolkit.

now question becomes, @ point should clean up. should encode output before send client , not store encoded in database, since depends on output type (html, pdf, json) how data should encoded. amplified fact in case there bug in encoder, there no way fix it, since data encoded.

in case bit more tricky though, since input html , not text. sanitizing still want before hand, because way prevent bad input entering database. encodeinputwithsafelist method bit tricky, because both sanitizer , encoder. when run before goes database, prevents output changing when change safe list. can both thing , bad thing, when add new tags safe list, wouldn't want old data change. in case go input encoding, instead of output encoding.

when go input encoding, name database column in such way clear we're dealing sanitized, encoded data.


Comments

Post a Comment

Popular posts from this blog

c++ - Is it possible to compile a VST on linux? -

for class project i'm attempting write vst plugin backed cuda. current cuda workflow on linux box, i'd prefer compile , link there. according wikipedia , should possible (i couldn't find steinberg documentation relevant linux) can't find makefile or instructions on how build if aren't using xcode or visual studio. i'm vst 3 sdk doesn't support linux. when try compile plugin under linux, error: ./base/source/fatomic.cpp:39:30: fatal error: libkern/osatomic.h: no such file or directory this issue caused following code in "vst3 sdk/base/source/fatomic.cpp" #if mac #include <libkern/osatomic.h> #if mac_os_x_version_min_required > mac_os_x_version_10_4 #define native_atomic_type (volatile int32_t*) #else #define native_atomic_type (int32_t*) #endif #elif windows #include <windows.h> #endif but hope compiling under linux work vst sdk 2.4. reading. jvstwrapper seems run on lin...
Read more

java - Output of Eclipse is rubbish -

i want write program in eclipse language different english. when display output using system.out program, displays output correctly in console editor. when accept input console , output it, output rubbish. how can solve it. many thnaks i'm not sure if problem, have character encoding problem. make sure you're using unicode, utf-8. you can read more @ official docs converting non-unicode text .
Read more

jquery - Confused with JSON data and normal data in Django ajax request -

i read json internet still have not got grasp of it. reading article http://webcloud.se/log/ajax-in-django-with-jquery/ i not understood first part function using json def xhr_test(request, format): if request.is_ajax(): if format == 'xml': mimetype = 'application/xml' if format == 'json': mimetype = 'application/javascript' data = serializers.serialize(format, examplemodel.objects.all()) return httpresponse(data,mimetype) # if want prevent non xhr calls else: return httpresponse(status=400) my main problems are from function getting format variable does format json mean data given function json or data recived json can give me simple example ouput of function data = serializers.serialize(format, examplemodel.objects.all()) how use data when response in jquery function if don't use json in above function how input , response chnage thanks ...
Read more