rickstrahl / westwind.aspnetcore Goto Github PK
View Code? Open in Web Editor NEWASP.NET Core Helpers and Utilities
License: MIT License
ASP.NET Core Helpers and Utilities
License: MIT License
It appears the markdown component is exposing cross site scripting vulnerabilities.
When the following text is placed inside the tag, the text is being rendered as script.
Recycleablequp97<ScRiPt>alert(1)</ScRiPt>qgxsv
When the markdown tag is not used, it is rendered as text by .net:
Recycleablequp97<ScRiPt>alert(1)</ScRiPt>qgxsv
I have read the closed issue on this, but I feel like the markdown component should not be undoing the default behavior for rendering script tags.
I'm using .net core 2.1.2
Hi there,
Does the WebUtils.SetUserLocale function work with the Asp.Net Core version?
It works perfectly if I change my browser language, or if I add the culture= in the query string, but not if I specify the culture and UI culture (these are both strings). I'm trying to persist this using a simply cookie.
WebUtils.SetUserLocale(culture, culture, null, true, null, HttpContext);
Thanks,
David
Hi, we're using your library over at csharpfritz/CoreWiki#144 to render wiki content and comments, but we appear to be having an issue with XSS.
Is this something that can be fixed in the library, or something we have to update on our end when using the <markdown>
tag?
How we're using the library:
https://github.com/csharpfritz/CoreWiki/blob/dev/CoreWiki/Pages/Details.cshtml#L19
Comment log of issue:
For a project I need to be able to generate AMP as well as "normal" HTML pages. I'm using your library at the moment, works great thanks!
I was wondering if there is any way to change the renderer used by Markdown.ParseHtmlString
to a custom one so that I can generate AMP-specific html?
I was looking into ways of adding and removing headers from my ASP.NET Core application. It's an API so there is no UI to it. After looking around I worked out that using the middleware technique to add and remove headers is probably the best as I need to include information in every response. I used the techniques in the CustomMiddleware.cs class and added code to the Startup.Configure method. Adding headers seems to work so for example:
opt.HeadersToAdd.Add("X-API-Version", sVersionString);
opt.HeadersToAdd.Add("X-ClientCommand", sCommandToExecute);
However, removing doesn't remove the headers. Any thoughts? It's not overly important to remove these, but I like to remove somethings just to make the response cleaner.
opt.HeadersToRemove.Add("X-Powered-By");
opt.HeadersToRemove.Add("x-aspnet-version");
opt.HeadersToRemove.Add("Server");
I have a subsite under my domain and now when I try to navigate to its landing page I get this error:
An unhandled exception has occurred while executing the request. System.ArgumentOutOfRangeException: startIndex cannot be larger than length of string. Parameter name: startIndex at System.String.Substring(Int32 startIndex, Int32 length) at Westwind.AspNetCore.Markdown.MarkdownPageProcessorMiddleware.InvokeAsync(HttpContext context) at Microsoft.AspNetCore.HttpsPolicy.HstsMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.Invoke(HttpContext context)
If I add a trailing slash then the page works correctly.
https://myweb.com/subsite - doesn't work
https://myweb.com/subsite/ - this works (hits the home controller and displays the index page)
Any clues?
Thanks.
Please, add some licence.
I dont know what can i do with your helpers (and i reaaaaly want to dig in your MarkdawnTagHelper ๐ )
Would be great if this was dependent upon netstandard2.0 rather than netcoreapp2.0, some of us are still using full framework for web apps.
I'd be happy to submit a pull request for this... I note that the latest version of this repo currently has a compilation issue however.
I have a subsite under my domain and now when I try to navigate to its landing page I get this error:
An unhandled exception has occurred while executing the request. System.ArgumentOutOfRangeException: startIndex cannot be larger than length of string. Parameter name: startIndex at System.String.Substring(Int32 startIndex, Int32 length) at Westwind.AspNetCore.Markdown.MarkdownPageProcessorMiddleware.InvokeAsync(HttpContext context) at Microsoft.AspNetCore.HttpsPolicy.HstsMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.Invoke(HttpContext context)
If I add a trailing slash then the page works correctly.
https://myweb.com/subsite - doesn't work
https://myweb.com/subsite/ - this works (hits the home controller and displays the index page)
Any clues?
Thanks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.