To dynamically inject the detail links from the task content to the keyword detail content I decided to inject the links using Regex.Replace, just prior to displaying the task content. So I wrote a helper that the razor page could call to make the replacements.
For this to work, I needed each task to have a property that contained a list of keywords that were applicable to the content, so I could pass these into the helper method. I didn't want to store these keywords with the task, as then I'd need a housekeeping task to keep these lists up to date with the detail content.
So, I used LINQ to SQL to dynamically look up keywords that were found in the content, which I then added to my new property. To prevent the new property from being automatically added to the task table, Entity Framework allows you to annotate properties on your entity classes as NotMapped. This is basically saying I'm going to calculate the values for this property myself in code.
To verify that EF was making the queries that I was expecting, I used a SQL profiler. I could see that the correct queries were being made and that SQL Server was correctly caching queries that had already been run.
Note about XSS: I've been reading up about cross site scripting (xss) and how pages can be vulnerable to such an attack if content containing html elements are not html encoded prior to display.
In this solution, I'm injecting links into content and for the links to be displayed correctly in the browser, I'm bypassing html encoding of the content using @Html.Raw. So to prevent a vulnerability, my helper method pre html encodes the content before injecting the links. This way, only the links that are injected by my managed code will reach the browser as html.
The other thing that I will need to do, before deployment, is ensure that the assembly containing the helper is signed with a strong name to prevent switching of a malicious version.
No comments:
Post a Comment