0

I am using VS 2012 and MVC 4. I am creating a simple CMS, so content of my pages will be dynamically updated, from c# code. (Content of each page with markups will be saved in the database).

The thing I don't know is how to update @renderbody or @rendersection from code (from C# controller)?

Example:

I have a master page:

MVC 4 master page

I have a content page that is derived from that master page:

MVC 4 content page

I want to get all that content from C# code. The reason for this is that my content will be in the database and there's gonna be a lot of pages, so content will change dynamically, depending on search conditions (I am creating a simple knowledge base, so users will be able to bold text, change text size and so on).

EDIT Thanks for pointing out that I haven't asked precisely enough - I am fetching content (which includes some HTML markups) from the database, not HTML for my pages. Example: MVC 4 Razor engine - content like this will be in the database.

tereško
  • 58,060
  • 25
  • 98
  • 150
FrenkyB
  • 6,625
  • 14
  • 67
  • 114
  • *The reason for this is that my HTML will be in the database* Noooooooooooooooo – ta.speot.is Jul 19 '13 at 22:12
  • What is wrong here? How can I save distinctive html pages other than in the DB with all the markup included? – FrenkyB Jul 19 '13 at 22:17
  • Not so sure on this .... You can expose a property and set your html ... Render that property as raw html .... – Rameez Ahmed Sayad Jul 19 '13 at 22:19
  • 1
    If you store the HTML in your database, you'll have a difficult time updating any HTML later on. Why not just save the data needed in the DB and generate HTML on the fly by reading the page data from the database. This is usually how it's done. This lets you update HTML later or change themes, etc. – Matt Houser Jul 19 '13 at 22:20
  • 1
    Will this work [Is it possible to display raw Html from database in ASP.NET MVC 3?](http://stackoverflow.com/questions/4798334/is-it-possible-to-display-raw-html-from-database-in-asp-net-mvc-3) – Rameez Ahmed Sayad Jul 19 '13 at 22:21
  • With HTML I mean each particular page's content (I guess I wasn't clear with my question). If user types in: "MVC 4 Razor engine" I have to save markup with the text. That's what I meant not the page's HTML. – FrenkyB Jul 19 '13 at 22:23
  • 1
    Then you can use `@Html.Raw(...)` to output your raw HTML in your view. However, be careful because malicious HTML can be inserted into your database, which can then be sent to unsuspecting clients. – Matt Houser Jul 19 '13 at 22:25
  • User types in... AntiXSS!!! – Rameez Ahmed Sayad Jul 19 '13 at 22:26
  • Why does your database content include Razor syntax? Why do you need that too? – Matt Houser Jul 19 '13 at 22:29
  • @Rameez - how can I save otherwise markup and content? Content in stack overflow is also saved in the database, correct? – FrenkyB Jul 19 '13 at 22:29
  • 1
    The difference is that SO content is not direct HTML markup. It's special markup that is processed on output and converted to HTML. – Matt Houser Jul 19 '13 at 22:30
  • @Matt - database content does not include Razor syntax, just some HTML markups. Something similar like this forum is build. – FrenkyB Jul 19 '13 at 22:31
  • 1
    Oh ... you mean you'll just show them as [!CDATA ... ] on screen and not really part of your html ... – Rameez Ahmed Sayad Jul 19 '13 at 22:33
  • @Rameez - user will have possibility to bold text, change size of the text and color and to add some images. I really didn't think of possible attacks. – FrenkyB Jul 19 '13 at 22:36
  • 1
    No. On SO, you use `**text**` to denote bold. You don't use `` tags. But when SO outputs to your browser, it converts the `**text**` to `text`. In your db, you store `**text**`. – Matt Houser Jul 19 '13 at 22:36
  • @MattHouser my previous comment was for user867703 and i know what you're trying to say is create a layer , custom implementation to prevent all the possible attacks. Thanks – Rameez Ahmed Sayad Jul 19 '13 at 22:37
  • @Matt - Is the SO content make this way to prevent XSS attacks? – FrenkyB Jul 19 '13 at 22:38
  • 1
    Yes. It's called 'markdown'. It's also done this way to make the non-HTML version more readable. See http://aspnetresources.com/blog/markdown_announced for a C# markdown engine example. – Matt Houser Jul 19 '13 at 22:40
  • 1
    Another reason is so that the HTML being sent to the browser is guaranteed to be valid HTML. A user could just input "something" and the entire rest of your page is now bold. – Matt Houser Jul 19 '13 at 22:41
  • 2
    Updated URL http://blog.stackoverflow.com/2009/12/introducing-markdownsharp/ – Matt Houser Jul 19 '13 at 22:42
  • OK, but I can still type manually or any other HTML in the text. What happens with this text? If I edit my question and type everything is bold, so HTML is interpreted. – FrenkyB Jul 19 '13 at 22:46
  • 1
    SO strips out any `<>` tags. – Matt Houser Jul 20 '13 at 01:49

1 Answers1

2

If you have content in your database that you want to output, then you would retrieve it from your database and pass it to your view just as a string, just like any other string that would be passed to the view.

Normally, if you output a string in your view, the Razor engine will interpret it and encode is so that it is "safe" for the client. So if your string was "text", it would actually send "<b>text</b>". This will be interpretted by your browser and will actually display to you "text".

Instead, you want the engine to not encode the string. To do this, you would use Html.Raw(...) like this:

@Html.Raw(Model.MyContentFromMyDatabase)

The problem with this is that it will send HTML (for good or for bad) to the client.

If the HTML is malformed, then your page may not display correctly. For example:

<b>text

will make the text bold, and everything else after it on the page will be bold too.

If the HTML has malicious code, such as a <script> tag, then that malicious code would execute on the client.

This is why the razor engine encodes things by default: to ensure things are safe. This is also why ASP.NET MVC, by default, will block < and > characters on POST to an action.

These days, websites have moved to "markdown". That is, if someone is inputting text and wants part of it bold, they don't input a <b> tag. Instead, they surround the text with **. This is how SO does it. On output, the ** codes are interpreted and converted into valid HTML.

**text**

is converted to

<b>text</b>

StackOverflow has it's markdown syntax. GitHub has it's own version. You can create your own if you want.

MarkdownSharp is a markdown engine written in C#. You could just adapt it.

Community
  • 1
  • 1
Matt Houser
  • 33,983
  • 6
  • 70
  • 88
  • Thanks a lot for this wonderful answer. I will definitely take care of security, too. At first, security wasn't my thought at all. One more question: what if a user types in **text and not as it should be? I guess Markdown has some mechanism inside to check for correct forming of tags? So **text would not be parsed into text? – FrenkyB Jul 20 '13 at 05:36
  • Correct. Most likely it would just be left as `**text`. – Matt Houser Jul 20 '13 at 14:18
  • While creating (or reusing an existing) markdown engine is an option you can also easily extend the existing ASP.NET Razor view engine and pull views from other sources, like embedded resources or even a database by using a custom VirtualPathProvider. Check out this question and the two links the answer provides: http://stackoverflow.com/questions/4218454/asp-net-mvc-load-razor-view-from-database – Nick Bork Aug 01 '13 at 18:14