I read about AllowHtml and ValidateInput.
I know that nopCommerce use these attributes to enable html values into some inputs.
I did some testing.
For example, in admin area, product management i tried to remove AllowHtml on the 'Name' attribute on the ProductModel class and when i submit the page i recive and exception. fine...i expected this result.
The question is about the normal funcionality of this attribute.
Teorically in the 'Name' attribute, i can insert a JS script and then post it.
I tried to do this. In the 'Name' i wrote
<scrip>alert('hello');</script>
then i sumbit the page and it worked (AllowHtml enable to send it). But...i didn't receive the alert on the page.
is there some mechanism that blocks script execution during post request ?
Thank you
AllowHtml, prevent JS script execution
- 1390
- 11685
- 8/10/2012
- United States
davide.maggiulli wrote:
Just a guess:
In your example above, there is an error in your script tag:
should be
I read about AllowHtml and ValidateInput.
I know that nopCommerce use these attributes to enable html values into some inputs.
I did some testing.
For example, in admin area, product management i tried to remove AllowHtml on the 'Name' attribute on the ProductModel class and when i submit the page i recive and exception. fine...i expected this result.
The question is about the normal funcionality of this attribute.
Teorically in the 'Name' attribute, i can insert a JS script and then post it.
I tried to do this. In the 'Name' i wrote
<scrip>alert('hello');</script>
then i sumbit the page and it worked (AllowHtml enable to send it). But...i didn't receive the alert on the page.
is there some mechanism that blocks script execution during post request ?
Thank you
I know that nopCommerce use these attributes to enable html values into some inputs.
I did some testing.
For example, in admin area, product management i tried to remove AllowHtml on the 'Name' attribute on the ProductModel class and when i submit the page i recive and exception. fine...i expected this result.
The question is about the normal funcionality of this attribute.
Teorically in the 'Name' attribute, i can insert a JS script and then post it.
I tried to do this. In the 'Name' i wrote
<scrip>alert('hello');</script>
then i sumbit the page and it worked (AllowHtml enable to send it). But...i didn't receive the alert on the page.
is there some mechanism that blocks script execution during post request ?
Thank you
Just a guess:
In your example above, there is an error in your script tag:
<scrip>alert('hello');</script>should be
<script>alert('hello');</script>
Certified Developer
- 87
- 843
- 2/16/2016
- Czech Republic
Hello,
AllowHtml attribute is used only to allow you to store HTML content in the database and do not cause ASP.NET exception.
Razor view engine has built-in XSS protection. Product name is renderend as @Model.Name in your cshtml file. It means HTML content will be escaped and you will see you script as <script>...</script> tag.
You should change cshtml file to use @Html.Raw(Model.Name). Html.Raw helper does not escape the content and render it as-is. Please keep in mind, it Html.Raw adds risk to your project because if somebody will be able to add a malicious script to the database.
AllowHtml attribute is used only to allow you to store HTML content in the database and do not cause ASP.NET exception.
Razor view engine has built-in XSS protection. Product name is renderend as @Model.Name in your cshtml file. It means HTML content will be escaped and you will see you script as <script>...</script> tag.
You should change cshtml file to use @Html.Raw(Model.Name). Html.Raw helper does not escape the content and render it as-is. Please keep in mind, it Html.Raw adds risk to your project because if somebody will be able to add a malicious script to the database.