Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
dima_horror2014-04-15 10:55:32
ASP.NET
dima_horror, 2014-04-15 10:55:32

RazorEngine - how to disable the use of Namespace when generating a page?

Good afternoon.
I'm using RazorEngine in my solution to generate dynamic pages from a database.
The pages themselves (Views), ordinary users of the site can edit in their account.
(Used to generate PDF files, DOC files, and the MasterPage of their personal page).
Example:

<p>Total to pay: @Model["PAYABLE"] @Model["CURRENCY"]</p>

Or
@foreach(string link in Model.StylesLinks){
  <link rel="stylesheet" href="@link" />
}

All functionality is implemented, but there is one big hole in the system.
Now any user can execute absolutely any code.
For example, it can easily display a list of connections:
@foreach (System.Configuration.ConnectionStringSettings conn in System.Configuration.ConfigurationManager.ConnectionStrings)
{
    @:@conn.ConnectionString<br/>
}

Then, using this connection, he can connect to the base, and do whatever he wants.
Question : how can I prevent the use of a namespace, such as "System"?
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Simply replacing the word "System" in the text with another is not appropriate. You can always get a class simply by its name. (+ there are many more ways to do it)
Type sys = Type.GetType("Sys" + "tem.Configuration.ConfigurationManager");

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
L
lam0x86, 2014-04-15
@dima_horror

You should not give users the opportunity to write views on the break. Even if you start rendering pages in a separate AppDomain, cutting off the rights to execute malicious code, there is always a chance that the user will write something massive that will load the processor core by 100%, which will make the site unavailable.
It is much more reliable (but also more difficult, of course) to make your own Domain Specific Language, which will extend plain HTML with special constructs necessary for your application.

Report
D
Dmitry Guketlev, 2014-04-15
@Yavanosta

Use a different templating engine.

Similar questions
R
ruslannafisovich2018-02-13 09:31:07
How to implement multiple file upload in Swagger? 0Reply
F
FairyFox57002020-04-23 15:34:51
How and when should a jwt token be issued to a user and a refresh token generated? 1Reply
M
mindgrow2018-02-18 17:24:51
ASP MVC how to add condition for div block attribute substitution? 1Reply
S
slink75762018-02-19 22:00:27
What does a junior asp.net developer need to know? 2Reply
D
Dmitry Smolyakov2015-10-17 23:42:53
Is it possible to have multiple controllers and one delegate? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question