|
Because you're a sucker for punishment?
|
|
|
|
|
I am little confused with the clue "Ground Zero" and the answer Toronto.
cheers,
Super
------------------------------------------
Too much of good is bad,mix some evil in it
|
|
|
|
|
super wrote: I am little confused with the clue "Ground Zero" and the answer Toronto. So am I. I had assumed that it was related to events 14 years less 2 days ago.
|
|
|
|
|
Ahhh.. I understand the potential source of confusion.
Personally, my wife was a nurse in Upstate New York when it happened; she was mobilized and sent there to assist with trauma. Because of that, we don't talk about it or really think about it... she'd rather than relive those memories.
|
|
|
|
|
Code Project is based out of Toronto, so Toronto is their ground zero.
|
|
|
|
|
Umm, I thought it was because most of Toronto(ians) believes it is the centre of the known universe
Ken
|
|
|
|
|
That might be... I've been there, but only for a season... never 'lived' there per se, and certainly not from there.
|
|
|
|
|
So not an actual programming question, but very much related to programming.
Maybe more of a rant something.
I'm working on a web project and I need to send some HTML back to the server, let's say "<p>HTML & ENCODING</p>"
So if I do that I get an error, potentially dangerous request... Fine.
How to fix this? I can disable the check, which isn't very safe.
I can escape the string so I get "& lt;p& gt;HTML & amp; ECODING& lt;/p& gt;", but there's no standard function for that.
I found the JavaScript escape function, but that's deprecated.
I found encodeURI or something, but that's, as the name implies, not for HTML.
So we web developers are left with a string replace...
But what to replace? Some people say replace < and >, others say you really need to replace & too and then there's people who say ' and " need replacement.
And then there are (non-standard) libraries that replace just about everything (!, @, #, $, Hebrew, Chinese... etc.).
Why is there no standard function for this?
It's ridiculous as it's indeed as simple as a string replace, but not so simple to know exactly what to replace...
Am I missing something or is ECMA/ISO/Eich (whatever) missing something?
For now I'll just replace <, >, &, ' and ", but I won't enjoy doing it...
|
|
|
|
|
In my opinion the cleanest way to do this is to disable the check.
You can disable it for a single control (.NET 4.5 +) or a single page if you don't want to disable it for everything.
The check is just there to prevent sending potentially malicious data to applications that don't need it (which probably covers most applications).
If you don't want to do that, I'd probably base64 encode the data.
|
|
|
|
|
Nicholas Marty wrote: If you don't want to do that, I'd probably base64 encode the data. Smart, haven't seen that one yet
So far I've got five unofficial and zero official solutions to this problem
|
|
|
|
|
I think jQuery can help you there (and even you had not ask a strict programming question I answer it as one)...
You can use a combination of text() and html() methods...
This will encode HTML (value):
return $('<div/>').text(value).html();
and this will decode:
return $('<div/>').html(value).text();
I left it for you too go and read the reference pages...
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
That helps and I just so happen to have jQuery available
|
|
|
|
|
Try
function htmlEncode( html ) {
return document.createElement( 'a' ).appendChild(
document.createTextNode( html ) ).parentNode.innerHTML;
};
for pure javascript.
|
|
|
|
|
That helps too, which is the fifth unofficial method to solving this problem
|
|
|
|
|
I would use one of the other methods though, this ugly piece I would use only as a last resort.
|
|
|
|
|
No ish about it, really
PooperPig - Coming Soon
|
|
|
|
|
I never asked for it to be solved as there are obviously multiple ways to go about it and I've mentioned two.
And then other people mentioned more.
It's more of a frustration rant about why there is no official standard solution for this problem
|
|
|
|
|
Do not make excuses! Stand against the wall!
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
"But, but..."
*POW!*
|
|
|
|
|
Kornfeld Eliyahu Peter wrote: Stand against the wall!
Ain't it a bit more hard punishment than the mistake he made?
|
|
|
|
|
Why it is so hard to stand against the wall?
(It is my imagination, or you heard some gunshots? There were nothing... )
Skipper: We'll fix it.
Alex: Fix it? How you gonna fix this?
Skipper: Grit, spit and a whole lotta duct tape.
|
|
|
|
|
I was actually relating the Lounge with the class room where teacher orders the poor student to stand against the wall(as a punishment)
Kornfeld Eliyahu Peter wrote: or you heard some gunshots
I actually heard the laughters of the class-mates upon the punishment.
|
|
|
|
|
Consider why this is a difficult thing to do with no standard solution.
It is because it is an odd thing to do.
That sounded very rude so I hope you are still with me. (I'm really not trying to be rude, just direct.)
What I mean is that you are posting the data (expected) and the template (unexpected).
Here, by template, I mean HTML.
HTML is really just a template.
I'm on the outside of your solution so I immediately think, "Why? Why is Sander posting HTML, when the HTML (template) should be described at the server side? Why would he post HTML when that is surely described on the server side? Since it is on the server side, the server doesn't need the template data posted since it already has it."
The only reason I can figure is that you are allowing users to post markup for their posts something like you can do here in this forum. Is that it?
If it is, then this will always be a challenge, because now you actually have to become an HTML parser because now instead of allowing a browser to handle the __template__ you have to pull out the bytes which represent the __template__ and separate them from the bytes which are the data.
Well, I'm not offering much of a solution, but possibly a different take on what is really going on.
I think separation of concerns leads us to think more clearly about each piece of a solution.
Hopefully I've added something to this discussion.
|
|
|
|
|
Yeah, thanks. You're right.
It is an odd thing to do.
And indeed the user can add markup to stuff.
Ultimately I've just disabled the check, since it's an internal intranet application and the customer has explicitly asked to be able to do HTML markup.
I leave it to them to not use script tags and that kind of stuff.
I've already secured it a bit with an HTML editor that translates <> typed by the user to <> so it ain't that bad
Just don't hack the browser or post HTTP requests directly.
Although that can be considered bad intent and cost employees their job and who knows more (which still doesn't make the data right though).
|
|
|
|
|
You could do a check to disallow any scripting, etc. Let "normal" HTML through, but remove any 'dangerous' tags.
|
|
|
|