Databases
StackOverflow2013
Postsdbo
POsafely handling a mix of markdown and html in rendering and storing
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POsafely handling a mix of markdown and html in rendering and storing
    primarykey
    data
    text
    <p>I'm planning to use <a href="http://epiceditor.com/" rel="nofollow">EpicEditor</a> as an editor for a blog engine, my current stack is AngularJS, ServiceStack, and RavenDB. The issue here, I want to deliver both safe html and markdown markup to the data store and of course restore the actual representation when fetched, the issue is I want to preserve safe html tags and add some functions to embed videos for example, </p> <p>First trial used the following sequence:</p> <ul> <li>editing done</li> <li>posted to the api</li> <li>raw text from the editor is encoded and saved</li> </ul> <p>Now for displaying the edited data:</p> <ul> <li>fetch encoded string</li> <li>return it as response </li> <li>parse it with built-in parser (Marked.js)</li> </ul> <p>The previous process is broken of course, for example the <code>&lt;h1&gt;</code> tags are rendered to be displayed, this is mainly because of the <code>HttpUtility/WebUtility</code> way of handling the html encoding. it becomes difficult to distinguish what is to be displayed as <code>code</code> for example and what is to be rendered like embedded <code>&lt;iframe&gt;</code> for a video.</p> <p>When I post some markdown/html markup like the following:</p> <pre><code>#Hello, World &gt;&gt;&gt; http://www.youtube.com/watch?v=Skl71urqKu0 &lt;iframe width="420" height="315" src="http://www.youtube.com/embed/veJZDANY6go" frameborder="0" allowfullscreen&gt;&lt;/iframe&gt; &lt;h1&gt;huhuhu&lt;/h1&gt; &lt;script&gt;alert("fail")&lt;/script&gt; &lt;script&gt;alert("win")&lt;/script&gt; </code></pre> <p>This is what I get from my <code>WebUtility.HtmlEcode()</code>:</p> <pre><code>{ "status": "#Hello, World\n\n&amp;gt;&amp;gt;&amp;gt; http://www.youtube.com/watch?v=Skl71urqKu0\n\n&amp;lt;iframe width=&amp;#39;420&amp;#39; height=&amp;#39;315&amp;#39; src=&amp;#39;http://www.youtube.com/embed/veJZDANY6go&amp;#39; frameborder=&amp;#39;0&amp;#39; allowfullscreen&amp;gt;&amp;lt;/iframe&amp;gt;\n\n&amp;lt;h1&amp;gt;huhuhu&amp;lt;/h1&amp;gt;\n\n&amp;lt;script&amp;gt;alert(&amp;#39;fail&amp;#39;)&amp;lt;/script&amp;gt;\n\n &amp;lt;script&amp;gt;alert(&amp;#39;win&amp;#39;)&amp;lt;/script&amp;gt;" } </code></pre> <p>The previous encoded string also breaks in terms of displaying the actual code after parsing with <strong>Marked.js</strong> I get for example magically added <code>&amp;</code> in my XSS attempt which even breaks the displaying of the code. For clarification, it would look like this:</p> <pre><code>&lt;pre&gt;&lt;code&gt;&amp;amp;lt;script&amp;amp;gt;alert(&amp;amp;#39;win&amp;amp;#39;)&amp;amp;lt;/script&amp;amp;gt;&lt;/code&gt;&lt;/pre&gt; </code></pre> <p>I'm aware that there is <strong><em>antixss</em></strong> library that can sanitize the code but does that make it completely safe to store in a database? </p> <p>Also I was thinking of parsing the actual links and building the embedding string on the server instead of allowing handling raw html, is this feasible?</p> <p>Sorry for the lengthy post and thanks in advance!</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USymg
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. POsafely handling a mix of markdown and html in rendering and storing
      1. This table or related slice is empty.
      1. VTUpMod
    1. COThis question seems very .NET specific. Marked.js handles Markdown + HTML mixed great, and converting HTML tags to something else shouldn't affect Marked. Your first example works if you just use Marked. The problem seems to be with your HtmlEncode functions.
      singulars
      1. POsafely handling a mix of markdown and html in rendering and storing
      1. USOscar Godson
    2. COFor this: "Also I was thinking of parsing the actual links and building the embedding string on the server instead of allowing handling raw html, is this feasible?" you may want to open a different question. XSS and converting strings to embeddable elements can be it's own answer :)
      singulars
      1. POsafely handling a mix of markdown and html in rendering and storing
      1. USOscar Godson
    3. COThanks for your comments, I've noticed that Marked.js actually parses the alert statements without executing them, do you think this is safe to use? because if so I can just store my exported string and store it and essentially rely on marked.js in terms of safety. sorry if this sounds dumb :P
      singulars
      1. POsafely handling a mix of markdown and html in rendering and storing
      1. USymg
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload