razorengine - ASP.NET Razor templates editable by users - remove @ for security reasons -

-

i made multi-user blog engine uses great asp.net razor template engine.

users able edit page templates , compose them custom tags {{blog_post_name}} {{blog_post_comments_list}}

then tags {{...}} replaced using regex appropriate razor code.

all usage of razor syntax done inside {{...}} custom tags not editable users.

so user can edit blog post templates beside custom {{...}} tags composed from.

what way restrict razor syntax in user defined templates?

i don't want user @(viewmodel.db.dropalltables()) inside template of blog post, must have access @(something...) inside tags not editable users.

as now, before user saves template remove @ user edited template , replace tags razor content.

but users can @viewmodel.something , still calls razor logic...

i'm thinking of removing @ symbols user template prevent it, not allow user css @media-queries , use email@addresses.com in template.

last thing did - changed regex finds symbols delete user templates (@+\b)|(\b@+\b)

that regex finds @ remove from: '@abc '@' @abc bcd@ abc@(for)

but keeps for: abc@abc

maybe forgot other possible usages of razor @

what can suggest in order have user-defined templates secured , allow razor syntax used inside tag content only?

update: razorengine used.

do use asp.net or razorengine? applied both tags questions i'm assuming using razorengine , answer question:

i suggest allow , apply runtime restrictions via code-access-security , isolated appdomain (this still has drawbacks: users can occupy resources, fix require process level isolation). can use razorengine isolation api this: https://antaris.github.io/razorengine/isolation.html

in case of asp.net can same, on own , need take care of cross-domain communication yourself.

matthid - razorengine contributor


Comments

Post a Comment

Popular posts from this blog

Java 3D LWJGL collision -

-
i making 3d java game lwjgl library, , wondering how add collision detection, player not go through models. i using obj models. here objloader class, loads models: package renderengine; import java.io.bufferedreader; import java.io.file; import java.io.filenotfoundexception; import java.io.filereader; import java.util.arraylist; import java.util.list; import models.rawmodel; import org.lwjgl.util.vector.vector2f; import org.lwjgl.util.vector.vector3f; public class objloader { public static rawmodel loadobjmodel(string filename, loader loader){ filereader fr = null; try { fr = new filereader(new file("res/"+filename+".obj")); } catch (filenotfoundexception e) { system.err.println("couldn't load file!"); e.printstacktrace(); } bufferedreader reader = new bufferedreader(fr); string line; list<vector3f> vertices = new arraylist<vector3f...
Read more

methods - python can't use function in submodule -

-
my folder structure this: pythonstuff/ program.py modulea/ __init__.py foo.py bar.py here's code bar.py : def hello(): print("hello, world!") here's code program.py : #!/usr/bin/env python3 modulea import bar bar.hello() i run $ python3 program.py somehow error: file "program.py", line 3, in <module> bar.hello() attributeerror: 'module' object has no attribute 'hello' edit: __init__.py file empty. edit2: after trying realized had bar.py in root directory contained hello() method. bar.py in modulea/ directory empty. add it import os __all__ = [] module in os.listdir(os.path.dirname(__file__)): if module != '__init__.py' , module[-3:] == '.py': __all__.append(module[:-3]) the init .py files required make python treat directories containing packages; done prevent directories common name, such string, unintentionally hiding v...
Read more

c# - ErrorThe type or namespace name 'AxWMPLib' could not be found (are you missing a using directive or an assembly reference?) -

-
what possible reference handler axwmplib._wmpocxevents_playstatechangeeventhandler ? when pass event in method, private void axwindowsmediaplayer1_playstatechange(object sender,axwmplib._wmpocxevents_playstatechangeevent e) compiling throws following error: the type or namespace name 'axwmplib' not found (are missing using directive or assembly reference?) if using visual studio make sure have axwmplib listed under references in solution explorer. if have embedded windows media player control in form, should have been added automatically along wmplib . an easy way add these libraries if missing add windows media player control form (an existing 1 do). right-click on toolbox , pick "choose items..." context menu, tick "windows media player" control on "com components" tab , click ok. should have little windows media player icon attached cursor; click on form add it. add axwmplib , wmplib references solution. can delete w...
Read more