Merge pull request #83 from pranavkm/patch-1

spboyer · web-flow · commit dedda796f5db · 2019-05-01T11:36:43.000-04:00
Remove random XSS code
diff --git a/docs/3. Add front-end, render agenda, set up front-end models.md b/docs/3. Add front-end, render agenda, set up front-end models.md
@@ -364,13 +364,9 @@ In this session, we'll add the front end web site, with a public (anonymous) hom
 
        DayOffset = Session.StartTime?.Subtract(startDate ?? DateTimeOffset.MinValue).Days;
 
-       if (!string.IsNullOrEmpty(Session.Abstract))
-       {
-           Session.Abstract = "<p>" + String.Join("</p><p>", Session.Abstract.Split("\r\n", StringSplitOptions.RemoveEmptyEntries)) + "</p>";
-       }
+        return Page();
+    }
 
-       return Page();
-   }
    ```
 1. Open the *Session.cshtml* file and add markup to display the details and navigation UI:
    ``` html
@@ -391,32 +387,10 @@ In this session, we'll add the front end web site, with a public (anonymous) hom
        <em><a asp-page="Speaker" asp-route-id="@speaker.ID">@speaker.Name</a></em>
    }
 
-   <p>@Html.Raw(Model.Session.Abstract)</p>
-   ```
-
-## HTML Encoding the Session Abstract
-Currently, the *Session* Abstract is displayed using `@Html.Raw()`. This makes it vulnerable to Cross-Site Scripting (XSS) and Injection Attacks, since an abstract could contain JavaScript. We'll update `Session.cshtml.cs` to HTML encode the Abstract to protect against these attacks.
-
-1. Add an `HtmlEncoder` field to the `SessionModel` using the following code:
-   ```csharp
-   private readonly HtmlEncoder _htmlEncoder;
-   ```
-1. Update the `SessionModel` constructor to inject an `HtmlEncoder`:
-   ```csharp
-   public SessionModel(IApiClient apiClient, HtmlEncoder htmlEncoder)
-   {
-       _apiClient = apiClient;
-       _htmlEncoder = htmlEncoder;
-   }
-   ```
-1. Update the section of the `OnGet()` method that handles `Session.Abstract` to encode the output.
-   ```csharp
-   if (!string.IsNullOrEmpty(Session.Abstract))
-   {
-       var encodedCrLf = _htmlEncoder.Encode("\r\n");
-       var encodedAbstract = _htmlEncoder.Encode(Session.Abstract);
-       Session.Abstract = "<p>" + String.Join("</p><p>", encodedAbstract.Split(encodedCrLf, StringSplitOptions.RemoveEmptyEntries)) + "</p>";
-   }
+    @foreach (var para in Model.Session.Abstract.Split("\r\n", StringSplitOptions.RemoveEmptyEntries))
+    {
+       <p>@para</p>
+    }
    ```
 
 ## Add a page to show speaker details
