Skip to content
This repository was archived by the owner on Jul 10, 2024. It is now read-only.

Commit 36146a9

Browse files
pranavkmpranavkm
authored
Remove random XSS code
1 parent 1440e72 commit 36146a9

File tree

1 file changed

+2
-29
lines changed

1 file changed

+2
-29
lines changed

docs/3. Add front-end, render agenda, set up front-end models.md

Lines changed: 2 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -364,11 +364,6 @@ In this session, we'll add the front end web site, with a public (anonymous) hom
364364

365365
DayOffset = Session.StartTime?.Subtract(startDate ?? DateTimeOffset.MinValue).Days;
366366

367-
if (!string.IsNullOrEmpty(Session.Abstract))
368-
{
369-
Session.Abstract = "<p>" + String.Join("</p><p>", Session.Abstract.Split("\r\n", StringSplitOptions.RemoveEmptyEntries)) + "</p>";
370-
}
371-
372367
return Page();
373368
}
374369
```
@@ -391,31 +386,9 @@ In this session, we'll add the front end web site, with a public (anonymous) hom
391386
<em><a asp-page="Speaker" asp-route-id="@speaker.ID">@speaker.Name</a></em>
392387
}
393388

394-
<p>@Html.Raw(Model.Session.Abstract)</p>
395-
```
396-
397-
## HTML Encoding the Session Abstract
398-
Currently, the *Session* Abstract is displayed using `@Html.Raw()`. This makes it vulnerable to Cross-Site Scripting (XSS) and Injection Attacks, since an abstract could contain JavaScript. We'll update `Session.cshtml.cs` to HTML encode the Abstract to protect against these attacks.
399-
400-
1. Add an `HtmlEncoder` field to the `SessionModel` using the following code:
401-
```csharp
402-
private readonly HtmlEncoder _htmlEncoder;
403-
```
404-
1. Update the `SessionModel` constructor to inject an `HtmlEncoder`:
405-
```csharp
406-
public SessionModel(IApiClient apiClient, HtmlEncoder htmlEncoder)
407-
{
408-
_apiClient = apiClient;
409-
_htmlEncoder = htmlEncoder;
410-
}
411-
```
412-
1. Update the section of the `OnGet()` method that handles `Session.Abstract` to encode the output.
413-
```csharp
414-
if (!string.IsNullOrEmpty(Session.Abstract))
389+
@foreach (var para in Model.Session.Abstract.Split("\r\n", StringSplitOptions.RemoveEmptyEntries))
415390
{
416-
var encodedCrLf = _htmlEncoder.Encode("\r\n");
417-
var encodedAbstract = _htmlEncoder.Encode(Session.Abstract);
418-
Session.Abstract = "<p>" + String.Join("</p><p>", encodedAbstract.Split(encodedCrLf, StringSplitOptions.RemoveEmptyEntries)) + "</p>";
391+
<p>@para</p>
419392
}
420393
```
421394

0 commit comments

Comments
 (0)