Skip to content

Instantly share code, notes, and snippets.

@OwainWilliams

OwainWilliams/isthissafe.md

Last active May 22, 2020 10:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save OwainWilliams/77e42779ff21af04da069e370d6a56f9 to your computer and use it in GitHub Desktop.
Save OwainWilliams/77e42779ff21af04da069e370d6a56f9 to your computer and use it in GitHub Desktop.
Download ZIP
Is this safe?
Raw
isthissafe.md

PageData will contact the contents of a div, so there will be HTML within it. I've disabled validateinput to allow for 'potentially dangerous' data.

  public class PDFController:SurfaceController
    {
        [System.Web.Http.HttpPost, ValidateInput(false)]
        public ActionResult GeneratePDF(string fileName)
        {

            var PDFMeContent = Request.Form["PageData"];
            var xpath = Umbraco.ContentSingleAtXPath("//pDFTemplate");

            // Added Umbraco.Core reference to allow to use IsNullOrWhiteSpace helper.
            if(fileName.IsNullOrWhiteSpace())
            {
                fileName = "OwainCodes.PDF";
            }
            

            return new Rotativa.UrlAsPdf("https://www.owain.codes")
            {
                FileName = fileName
            };

        }
    }
@NikRimington
Copy link

NikRimington commented May 22, 2020
edited

IIRC correctly, it would be better to change your action to recieve the full model, and then on the model allow "allow html" on only that single property rather than on the whole method. Anything that can receive HTML is a potential risk, so you need to be careful IIRC.

https://www.dotnettricks.com/learn/mvc/html-submission-by-validateinput-and-allowhtml-attribute-in-mvc4 << this is a reasonable explanation.

And another one https://www.jitbit.com/alexblog/273-aspnet-mvc-allowing-html-for-particular-action-parameters/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment